FoxyCart

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at FoxyCart. Every day new security issues and attack vectors are created. FoxyCart strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

Targets

In scope

Target name | Type
---|---
api.foxycart.com | Other
<https://admin.foxycart.com> | Other
<https://foxycart-demo.foxycart.com> | Other
api-sandbox.foxycart.com | Other
*-bugcrowd.foxycart.com (read below for details) | Other

Before You Begin

1. Please read and follow the rules in the Standard Disclosure Terms.
2. Review the "Out of Scope" section below.
3. Please review the "Known Issues" below.

We'd prefer you to focus on our new API.

What, Where, and How to Test

At it's simplest, FoxyCart works by adding products to a /cart endpoint via GET or POST request. Click here for some examples. Click through to the secure payment page to see that.

To do more in-depth testing and create your own account:

1. Create an account at https://admin.foxycart.com/signup/.

   • When creating your account, please use the following format:
   • bugcrowd username @bugcrowdninja.com
   • Example bugcrowd_01@bugcrowdninja.com

   • When creating your store's subdomain, please use the following format:

   • userame-bugcrowd

   • Example bugcrowd_01-bugcrowd.foxycart.com.

   • Test as desired. You can use the default Authorize.net gateway test account and the test credit card 4111 1111 1111 1111 to test successful transactions. Full documentation is available at wiki.foxycart.com, and there's a quick cheat sheet as well.
   • Create an API client at api-sandbox.foxycart.com. The API uses Oauth 2.0, and can handle nearly every request that admin.foxycart.com can.

Please do not use automated scanners or aggressive scripts.

DO NOT REPORT Known Issues & False Positives

• DROWN ATTACK NOTE: (2016-03-02) Don't report that we're vulnerable to DROWN unless you can show an IP and domain that match what you're attempting, and that are actually vulnerable. The DROWN test tool isn't giving you the info you might think it's giving you.
• BREACH Attack: Unless you can confirm our mitigation approach at admin.foxycart.com isn't sufficient, please do not report this.
• Session persistence after logout. If you believe you can reuse a logged in cookie after a logout, please confirm you can replicate it. This has been reported a few times in error, so we'll need a screencast, details of the requests/responses, AND confirmation that you've been able to replicate it (with detailed steps) before we will spend time attempting to reproduce this.
• SSRF: Our cache endpoint (which caches images and is publicly accessible) and our template caching (available in the admin) make outbound GET requests. This is by design. Please do not report this as SSRF unless you can demonstrate accessing internal or otherwise privileged access.

Moving on…

The most important thing to note is how FoxyCart works. Please don't report the following behavior:

• Products can be added via a GET or POST, and a product's name, price, or other options can be modified. This is by design. We designed our system for flexibility and there is a way to protect add-to-cart links and forms. These requests can be submitted to SSL from a non-SSL page.
• The templates (cart, checkout, receipt, email) can include whatever javascript the user would like. Again, this flexibility is by design.

The following finding types are specifically excluded from the bounty:

• Account creation at admin.foxycart.com does not have captcha or email validation.
• Multiple failed login attempts for an invalid user do not result in an IP-based block. (Please note that multiple failed login attempts for a valid user will result in a temporary lock for that user.)
• Login Page / Forgot Password page messaging, account brute force, or account lockout not enforced.
• Some forms do not have rate limiting / brute-force protections. (Please don't automate a ton of contact forms or anything.)
• Admin session is not invalidated on password reset. (Highlighted because this comes up a lot. Please see the note above.)
• Admin sessions are not invalidated on… email change, logout, or other actions.
• Admin login does not support MFA.
• Admin does not require re-authentication on certain actions.
• Logout Cross-Site Request Forgery (logout CSRF).
• Form POSTs and GETs to /cart are possible from http. (http->https MITM attack vector.)
• Self-XSS and issues exploitable only through Self-XSS.
• Editing certain non-user-controllable HTTP headers such as Referer can trigger a reflected XSS on certain pages.
• SSL cipher strength issues as reported by automated scanning tools, unless you have a practical exploit.
• Clickjacking headers not present on some of our subdomains.
• HTTP 404 codes/pages or other HTTP non-200 codes/pages.
• CSRF on forms that are available to anonymous users (e.g. the contact form, search form).
• Presence of application or web browser 'autocomplete' or 'save password'.
• Disclosure of known public files or directories, (e.g. robots.txt).
• Banner disclosure on common/public services.
• No Strict Transport Security (HSTS) headers set.
• Normal OPTIONS responses.
• DMARC, DKIM, or SPF records missing on domains or subdomains.
• Password resets and admin signup process indicate whether an account exists or not.
• Password resets are not rate limited.
• Password reset links: Base64 decoding reveals details.
• Password reset links are GETs and show in the referrer headers.
• Host Header validation/injection, unless you have a demonstrable exploit. (Please don't submit host header redirection issues.)

A Note about XSS

Please note: If you've identified an XSS issue on our www site, make sure it is actually exploitable beyond Burp Suite or whatever you're using. If you can't reproduce the XSS in a browser, we will likely consider it self- XSS, and an invalid submission.

Out of Scope: Other *.foxycart.com Domains

FoxyCart customer sites and applications are out of scope for this program. You can create a free test account at admin.foxycart.com if you'd like to test the cart and checkout flow itself.

Vulnerabilities found at the following subdomains will be passed along to the vendors/creators, and may be eligible for kudos or stickers, but no cash rewards. Please don't report issues with account login, SSL, CSRF, clickjacking, or any of the above noted known issues. For issues with the system and not our implementation, please report directly to the company responsible for it.

• forum.foxycart.com uses Vanilla
• www.foxy.io uses Wordpress. Please do not submit that we have the xmlrpc file acessible. We're aware.
• wiki.foxycart.com uses Dokuwiki
• affiliate.foxycart.com uses iDevAffiliate

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.