The Foxy forums are on the move!

We're in the process of moving our forums over to a new system, and so these forums are now read-only.
If you have a question about your store in the meantime, please don't hesitate to reach out to us via email.

Form manipulation and add to cart from multiple websites

freshjonesfreshjones Member
in Help edited December 2017
we have seen some strange behavior on our FC site on 3 different occasions now, where a line item is added to the cart that has all the parameters of product A, BUT with the title of product B. This is weird because it appears like the customer either started ordering product A but somehow product B's title got mismatched, OR customer wanted product B but also wanted product A's configuration options and thus figured out a way (form manipulation) to order product A's options but replace the title with product B.

Form manipulation is our leading theory, but its odd that this has happened 3 times with 3 different customers, 3 diff ip addresses, cc nums etc. Also maybe I'm naive but I didnt think the average ecommerce shoppers were savy enough or sneaky enough to figure out how to manipulate a hidden form field in that way, once in a while yes, but its happened 3 times already this month.

So we are going to put some things in place that will *hopefully* stop the form manipulation bits, but I also wondered if it was theoretically possible to send add-to-cart requests from multiple websites beyond our own? What if someone were to scrape our site in some manner and allow items to be added to the cart and orders to be placed from a website that is not ours? Is this possible or is FC safeguarded against this in some way? E.G. Adding items to can ONLY happen if the request comes from or from a certain ip address?

thanks for any insight you might have!

  • brettbrett FoxyCart Team
    Hi @freshjones. If you whisper me some transaction IDs, we could take a look at the logs to see if we can glean anything.

    To your question about security, the link/form signing is the best way to protect against that. You could also use the pre-payment webhook to do some validation, but the link/form signing would be the best approach.

    Are you doing anything fancy with your add-to-cart forms? It sounds like there may be something there (like if you're using javascript to modify the form, perhaps there's a way to get things to goof up a bit).
  • Thanks for the extra info regarding what page the product was added to cart from, that was extremely helpful information and it turned out to be a bug on our end and not form manipulation at all.

    I wonder if its possible to get the originating page data from within foxycart admin logs? that would be really great info to have access to when trying to resolve issues or review a particular line item.

    thanks again!
  • fc_adamfc_adam FoxyCart Team

    Good question - we don't currently expose the originating pages as part of the logs within our administration. Something we could certainly consider in the future as we make improvements there.
Sign In or Register to comment.