We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at FoxyCart. Every day new security issues and attack vectors are created. FoxyCart strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.
Target name | Type
---|---
api.foxycart.com
| Other
<https://admin.foxycart.com>
| Other
<https://foxycart-demo.foxycart.com>
| Other
api-sandbox.foxycart.com
| Other
*-bugcrowd.foxycart.com (read below for details)
| Other
We'd prefer you to focus on our new API.
At its simplest, FoxyCart works by adding products to a /cart
endpoint via
GET
or POST
request. Click here for some
examples. Click through to the
secure payment page to see that.
To do more in-depth testing and create your own account:
Create an account at https://admin.foxycart.com/signup/.
When creating your store's subdomain, please use the following format:
userame-bugcrowd
Example bugcrowd_01-bugcrowd.foxycart.com
.
4111 1111 1111 1111
to test successful transactions. Full documentation is available at wiki.foxycart.com, and there's a quick cheat sheet as well.Please do not use automated scanners or aggressive scripts.
admin.foxycart.com
isn't sufficient, please do not report this.cache
endpoint (which caches images and is publicly accessible) and our template caching (available in the admin) make outbound GET requests. This is by design. Please do not report this as SSRF unless you can demonstrate accessing internal or otherwise privileged access.Moving on…
The most important thing to note is how FoxyCart works. Please don't report the following behavior:
GET
or POST
, and a product's name
, price
, or other options can be modified. This is by design. We designed our system for flexibility and there is a way to protect add-to-cart links and forms. These requests can be submitted to SSL from a non-SSL page.The following finding types are specifically excluded from the bounty:
admin.foxycart.com
does not have captcha or email validation./cart
are possible from http. (http->https MITM attack vector.)OPTIONS
responses.Please note: If you've identified an XSS issue on our www
site, make
sure it is actually exploitable beyond Burp Suite or whatever you're using.
If you can't reproduce the XSS in a browser, we will likely consider it self-
XSS, and an invalid submission.
FoxyCart customer sites and applications are out of scope for this program. You can create a free test account at admin.foxycart.com if you'd like to test the cart and checkout flow itself.
Vulnerabilities found at the following subdomains will be passed along to the vendors/creators, and may be eligible for kudos or stickers, but no cash rewards. Please don't report issues with account login, SSL, CSRF, clickjacking, or any of the above noted known issues. For issues with the system and not our implementation, please report directly to the company responsible for it.
xmlrpc
file acessible. We're aware.This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.
Scope Type | Scope Name |
---|---|
web_application | api.foxycart.com |
web_application | https://admin.foxycart.com |
web_application | https://foxycart-demo.foxycart.com |
web_application | api-sandbox.foxycart.com |
web_application | *-bugcrowd.foxycart.com (read below for details) |
This program can reward you in USD, up to 250 $.
FireBounty © 2015-2019