|Scope Type||Scope Name|
|web_application||*-bugcrowd.foxycart.com (read below for details)|
We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at FoxyCart. Every day new security issues and attack vectors are created. FoxyCart strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.
Target name | Type
api.foxycart.com | Other
<https://admin.foxycart.com> | Other
<https://foxycart-demo.foxycart.com> | Other
api-sandbox.foxycart.com | Other
*-bugcrowd.foxycart.com (read below for details) | Other
We'd prefer you to focus on our new API.
At it's simplest, FoxyCart works by adding products to a
/cart endpoint via
POST request. Click here for some
examples. Click through to the
secure payment page to see that.
To do more in-depth testing and create your own account:
Create an account at https://admin.foxycart.com/signup/.
When creating your store's subdomain, please use the following format:
4111 1111 1111 1111to test successful transactions. Full documentation is available at wiki.foxycart.com, and there's a quick cheat sheet as well.
Please do not use automated scanners or aggressive scripts.
admin.foxycart.comisn't sufficient, please do not report this.
cacheendpoint (which caches images and is publicly accessible) and our template caching (available in the admin) make outbound GET requests. This is by design. Please do not report this as SSRF unless you can demonstrate accessing internal or otherwise privileged access.
The most important thing to note is how FoxyCart works. Please don't report the following behavior:
POST, and a product's
price, or other options can be modified. This is by design. We designed our system for flexibility and there is a way to protect add-to-cart links and forms. These requests can be submitted to SSL from a non-SSL page.
The following finding types are specifically excluded from the bounty:
admin.foxycart.comdoes not have captcha or email validation.
/cartare possible from http. (http->https MITM attack vector.)
Please note: If you've identified an XSS issue on our
www site, make
sure it is actually exploitable beyond Burp Suite or whatever you're using.
If you can't reproduce the XSS in a browser, we will likely consider it self-
XSS, and an invalid submission.
FoxyCart customer sites and applications are out of scope for this program. You can create a free test account at admin.foxycart.com if you'd like to test the cart and checkout flow itself.
Vulnerabilities found at the following subdomains will be passed along to the vendors/creators, and may be eligible for kudos or stickers, but no cash rewards. Please don't report issues with account login, SSL, CSRF, clickjacking, or any of the above noted known issues. For issues with the system and not our implementation, please report directly to the company responsible for it.
xmlrpcfile acessible. We're aware.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.