FoxyCart

  • Points – $250 per vulnerability
  • Partial safe harbor

Program stats

128 vulnerabilities rewarded

Validation within about 10 hours
75% of submissions are accepted or rejected within about 10 hours

Latest hall of famers

Recently joined this program

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at FoxyCart. Every day new security issues and attack vectors are created. FoxyCart strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

Targets

In scope

Target name Type Tags
api.foxycart.com Other
  • AWS
  • Bootstrap
  • jQuery
  • nginx
  • Amazon Cloudfront
  • API Testing
https://admin.foxycart.com Other
  • jQuery
  • Modernizr
  • PHP
https://foxycart-demo.foxycart.com Other
  • jQuery
api-sandbox.foxycart.com Other
  • Bootstrap
  • jQuery
  • Newrelic
*-bugcrowd.foxycart.com (read below for details) Other

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Foxy. Every day new security issues and attack vectors are created. FoxyCart strives to keep abreast on the latest state-of-the-art security developments by working with security researchers. We appreciate the community's efforts in creating a more secure world.

No technology is perfect, and we at Foxy believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Our Open Source Libraries

We maintain a number of open source codebases at https://github.com/Foxy. Please ensure you've reviewed the section in "Exclusions" below about those packages before submitting.


Exclusions

While researching, we'd like to ask you to refrain from:

  • Denial of Service attempts
  • Spamming
  • Social engineering (including phishing) of Foxy staff or contractors
  • Any physical attempts against Foxy property or data centers

Thank you for helping keep Foxy.io/FoxyCart.com and our users safe!

Before You Begin

  1. Please read and follow the rules in HackerOne's Standard Disclosure Terms.
  2. Read Foxy.io’s Tips for Better Security Vulnerability Reports . Please do this.
  3. Review the "Out of Scope" section below.
  4. Please review the "Known Issues" below.

What, Where, and How to Test

At it's simplest, FoxyCart works by adding products to a /cart endpoint via GET or POST request. Click here for some examples on our homepage.

To do more in-depth testing and create your own account:

  1. Create an account at https://admin.foxycart.com/signup/.
    • When creating your account, please use the string HackerOne in your first name, last name, or email address.
    • When creating your store's subdomain, please use the following format:
      • username-hackerone
      • Example yourHackerOneUsername-hackerone.foxycart.com.
  2. Test as desired. You can use the default Authorize.net gateway test account and the test credit card 4111 1111 1111 1111 to test successful transactions. Full documentation is available at wiki.foxycart.com, and there's a quick cheat sheet as well.
  3. Create an API client at api-sandbox.foxycart.com or from the "integrations" page in the admin. The API uses Oauth 2.0, and can handle nearly every request that admin.foxycart.com can.

Please do not use automated scanners or aggressive scripts.

A Note about our Known Issues

We have recently moved to HackerOne from BugCrowd, and as such there may be some issues that have been previously reported, haven't yet been addressed, yet aren't necessarily listed below. We take your time seriously, and have updated this below list, but there are a number of previously reported low-importance/low-impact issues that may not be fully covered by this list.

Known Issues

We get a lot of notes about these, so they get their own section:

DROWN ATTACK NOTE: (2016-03-02)
Don't report that we're vulnerable to DROWN unless you can show an IP and domain that match what you're attempting, and that are actually vulnerable. The DROWN test tool isn't giving you the info you might think it's giving you.

BREACH Attack: Unless you can confirm our mitigation approach isn't sufficient, please do not report this.

DMARC, DKIM, or SPF records missing on domains or subdomains.

SSRF: Our cache endpoint (which caches images and is publicly accessible) and our template caching (available in the admin and via the API) make outbound GET requests. This is by design. Please do not report this as SSRF unless you can demonstrate accessing internal or otherwise privileged access.

Tabnabbing in general, unless there's a specific exploit that can be used by a real-world attacker.

Moving on…

The most important thing to note is how FoxyCart works. Please don't report the following behavior:

  • Products can be added via a GET or POST, and a product's name, price, or other options can be modified. This is by design. We designed our system for flexibility and there is a way to protect add-to-cart links and forms.
  • These requests can be submitted to SSL from a non-SSL page.
  • The templates (cart, checkout, receipt, email) and some language strings can include whatever javascript the user would like. Again, this flexibility is by design.

The following finding types are specifically excluded from the bounty:

  • General issues:

    • Self-XSS and issues exploitable only through Self-XSS.
    • Editing certain non-user-controllable HTTP headers such as Referer can trigger a reflected XSS on certain pages.
    • SSL cipher strength issues as reported by automated scanning tools, unless you have a practical exploit.
    • Clickjacking headers not present on some of our subdomains.
    • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
    • CSRF on forms that are available to anonymous users (e.g. the contact form, search form).
    • Presence of application or web browser 'autocomplete' or 'save password'.
    • Disclosure of known public files or directories, (e.g. robots.txt).
    • Banner disclosure on common/public services.
    • No Strict Transport Security (HSTS) headers set.
    • Normal OPTIONS responses.
    • Some domains do not have proxy protection.
    • cache.php will cache/load images from 3rd-party domains. This is by design. (See the note about SSRF above.)
    • Some forms do not have rate limiting / brute-force protections. (Please don't automate a ton of contact forms or anything.)
    • Lookalike domains exist that we don't own or are unregistered.
  • Admin-related issues:

    • NEW: Email can be changed without validating the existing password.
    • 3rd-party scripts are loaded within the admin.
    • Account creation at admin.foxycart.com does not have captcha or email validation.
    • Admin email changes happen without confirmation.
    • Multiple failed login attempts for an invalid user do not result in an IP-based block. (Please note that multiple failed login attempts for a valid user will result in a temporary lock for that user, but you'll still get a 200 response. Also, we do IP-based blocking in certain other cases.)
    • Login Page / Forgot Password page messaging, account brute force, or account lockout not enforced. (Again, there's enforcement in some areas, and we're aware of others already.)
    • There's no maximum password length. This is not a DoS issue.
    • Password resets...
      • Indicate whether an account exists or not.
      • Don't generate an additional email to the admin user.
      • Are sent via a link that's Base64 encoded.
      • That link shows in the referrer header when loaded in the Foxy admin.
    • Admin sessions are not invalidated on… certain events. In the situations where sessions aren't invalidated, this is a known issue. (Similarly, we don't support MFA yet, and don't have robust "suspicious" login detection. We're working on that.)
    • Admin does not require re-authentication on certain actions.
    • Logout Cross-Site Request Forgery (logout CSRF).
    • Clickjacking is possible in certain old browsers that don't support X-Frame-Options-Header but do support TLSv1.1+.
    • There exists an edge case where it's possible to change an admin password without providing the original password. We are aware and working to diagnose. (If you can reliably reproduce, that'd be a valid submission. Otherwise it's a known issue.) (There exists another way to do this that we can reproduce, related to the password reset email URL. This is a known issue.)
    • Generated CSVs may allow for Excel-specific functions to be output.
    • RC4 encryption is used in legacy webhook systems.
    • CORS or other related issues with non-foycart.com or non-foxy.io subdomains. For instance, *.zoho.com cookies aren't something we control.
  • Cart and Checkout issues:

    • Form POSTs and GETs to /cart are possible from http. (http->https MITM attack vector.)
    • Cart requests do not require CSRF or have other protection (aside from the HMAC signing mentioned above).
    • The ability to modify product parameters in a link or form, if the account has the HMAC signing functionality disabled. (Again, as mentioned above.)
    • Clickjacking headers (and/or other mitigating precautions) not present on some of our subdomains.
    • The session-specific referrer header can be manipulated, and is output to customers in certain situations.
    • Password resets (and customer logins) indicate whether an account exists or not.
    • It's possible create a duplicate customer account with an existing email under very specific circumstances.
  • Networking and infrastructure:

    • Host Header injection/modification/redirects. We're aware.
    • It's possible to reveal an internal IP address if you modify a redirected request. This is an AWS ELB/ALB thing, and the IP revealed is not one of ours.
  • Public Disclosure of User Credentials:

    • Note that we can't promise we'll reward for submissions about API keys or other tokens our users might have publicly exposed in Github, Pastebin, etc. We appreciate these submissions, especially if it's for a live/production account, and we may reward, but we can't promise it.
  • Open Source Codebases:

    • NPM version-specific security issues that are already patched, but aren't yet patched/updated in our repository. These happen too frequently for us to reward on, and Github notifies us through their systems.
    • Exploits that require an already compromised site, or a malicious webmaster.

A Note about XSS

Please note: If you've identified an XSS issue (especially on on our www site), please make sure it is actually exploitable beyond Burp Suite or whatever you're using. If you can't reproduce the XSS in a browser, we will likely consider it self-XSS, and an invalid submission.

A Note about CSRF

If you're reporting a CSRF issue and your POC includes the CSRF token, we will assume that you don't understand what CSRF issues are, nor how CSRF prevention works. Please, please don't report a CSRF vulnerability if your POC includes the CSRF token. (If you can get the CSRF token from a victim, show that.) We know everybody starts somewhere, and everybody can overlook things when submitting reports, but we see this one more often than we'd like :)

Out of Scope: Other *.foxycart.com or *.foxy.io Domains

Foxy customer sites and applications are out of scope for this program. You can create a free test account at admin.foxycart.com if you'd like to test the cart and checkout flow itself. Please don't test our users.

For vulnerabilities found at the following subdomains, we make a distinction between the underlying system and our own modifications. For example, we use Dokuwiki for our wiki. If you find a security issue in our implementation of Dokuwiki, that may be valid and eligible for a reward from us. But an issue with Dokuwiki itself should be reported to them.

Note also that some of these domains are on shared hosts, or other environments we don't control. As such, certain ports may be open and/or services accessible. We don't necessarily control infrastructure for all of these domains, so feel free to report, but we'll most likely mark reports as informative unless it's something we actually have control over.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.