Broken Access Control - Unauthorized Access to Other Users' Orders #100
Description
CVE-ID: CVE-2023-36331
Broken Access Control - Unauthorized Access to Other Users' Orders
Description
This issue is related to #98 and demonstrates the same security vulnerability.
Reproduction Steps
- Set up the environment as described in Cart endpoints allow cross-account modifications #98, and create "IPhone X" order by "target1" user.
- Log in with a test account
- Modify the
userIdparameter to"target1"in the request - Successfully retrieve the order list belonging to the
"target1"user
Vulnerability Details
Type: Broken Access Control (IDOR - Insecure Direct Object Reference)
Impact: Any authenticated user can access other users' order information by simply modifying the userId parameter, leading to:
- Privacy breach
- Unauthorized access to sensitive order data
- Potential data manipulation
Proof of Concept
As shown in the screenshot above, by manipulating the userId parameter, we successfully accessed orders belonging to another user (target1).
Expected Behavior
The system should:
- Validate that the requesting user has permission to access the specified orders
- Only return orders belonging to the authenticated user
- Return an authorization error (403 Forbidden) when attempting to access other users' data
Severity
High - This vulnerability allows any authenticated user to access sensitive information of other users.