xmall
xmall copied to clipboard
Exrick
Cart endpoints allow cross-account modifications
- Critical – Cart endpoints allow cross-account modifications**: Every
/member/*cart*action takes a request body withuserIdand trusts it. A logged-in attacker can supply another user’s id to read or alter their cart contents.
public Result<Object> addCart(@RequestBody Cart cart){
int result=cartService.addCart(cart.getUserId(),cart.getProductId(),cart.getProductNum());
return new ResultUtil<Object>().setData(result);
}
public Result<List<CartProduct>> getCartList(@RequestBody Cart cart){
List<CartProduct> list=cartService.getCartList(cart.getUserId());
return new ResultUtil<List<CartProduct>>().setData(list);
}
// ... existing code ...
public Result<Object> delChecked(@RequestBody Cart cart){
cartService.delChecked(cart.getUserId());
return new ResultUtil<Object>().setData(null);
}
public int addCart(long userId, long itemId, int num) {
Boolean hexists = jedisClient.hexists(CART_PRE + ":" + userId, itemId + "");
// no ownership validation
}
public List<CartProduct> getCartList(long userId) {
List<String> jsonList = jedisClient.hvals(CART_PRE + ":" + userId);
}
// ... existing code ...
public int deleteCartItem(long userId, long itemId) {
jedisClient.hdel(CART_PRE + ":" + userId, itemId + "");
return 1;
}
poc
We will use the getCartList as an example.
Step 1: Log in and Initiate cart member
Navigate to the mall page and register two accounts, named "test" and "target1". Initially, you'll notice that neither account has any shipping addresses. Proceed to add addresses for both accounts. During this process, you can view the complete HTTP requests in Burp Suite. The userid for the "test" account is 62.
{"success":true,"message":"success","code":200,"timestamp":1762180070718,"result":{"id":62,"username":"test","phone":null,"email":null,"sex":null,"address":null,"file":"http://img.exrick.cn/1747574689007.png","description":null,"points":null,"balance":null,"state":1,"token":"55332ff7-2d78-44db-b8e4-8e74b252f44d","message":null}}
The cartList of "test" is empty.
The userid for the "target" account is 4884.
{"success":true,"message":"success","code":200,"timestamp":1762180705236,"result":{"id":4884,"username":"target1","phone":null,"email":null,"sex":null,"address":null,"file":null,"description":null,"points":null,"balance":null,"state":1,"token":"2797e940-b046-412a-9ab8-bcf147926542","message":null}}
The cartList of "test" contains "IPhone X" .
Step 2: Intercept the Request in Burp Suite and Modify the userid Parameter
Assume the "test" account acts as the attacker. Log in to the "test" account and change to "userId" to "4884", then cartList of "test" contains "IPhone X" .
