Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Horizontal overreach #11

Open
aibot88 opened this issue Jan 18, 2025 · 0 comments
Open

Horizontal overreach #11

aibot88 opened this issue Jan 18, 2025 · 0 comments

Comments

@aibot88
Copy link

aibot88 commented Jan 18, 2025

Description

Several horizontal missing user check are founded in current codebase

Attack Vector

Image Image even though the login user is different, we still can utilise Attacker B to query the order owned by Victim A with the orderSn parameters. The other vulnerabilities share the same attack Vector except the last bussiness logic vulnerability. Image there is no limitation for the user to occupy the seats, so one logged user can occupy all the seats if the attacker want.

Details

3.	Horizontal Privilege Escalation: It is possible to query any user’s order based on the order number.	•	[Link to code](https://gitee.com/nageoffer/12306/blob/main/services/order-service/src/main/java/org/opengoofy/index12306/biz/orderservice/service/impl/OrderServiceImpl.java#L92)	2.	Horizontal Privilege Escalation: It is possible to close any user’s order based on the order number.
•	[Link to code](https://gitee.com/nageoffer/12306/blob/main/services/order-service/src/main/java/org/opengoofy/index12306/biz/orderservice/service/impl/OrderServiceImpl.java#L194)
3.	Horizontal Privilege Escalation: It is possible to close any user’s order based on the order number.
•	[Link to code](https://gitee.com/nageoffer/12306/blob/main/services/order-service/src/main/java/org/opengoofy/index12306/biz/orderservice/service/impl/OrderServiceImpl.java#L209)
4.	Horizontal Privilege Escalation: It is possible to reverse any user’s order based on the order number.
•	[Link to code](https://gitee.com/nageoffer/12306/blob/main/services/order-service/src/main/java/org/opengoofy/index12306/biz/orderservice/service/impl/OrderServiceImpl.java#L247)
5.	Horizontal Privilege Escalation: It is possible to view any sub-order based on the order number.
•	[Link to code](https://gitee.com/nageoffer/12306/blob/main/services/order-service/src/main/java/org/opengoofy/index12306/biz/orderservice/service/impl/OrderItemServiceImpl.java#L105)
6.	Business Logic Vulnerability: There is no limit on locking any ticket seat multiple times.
•	[Link to code](https://gitee.com/nageoffer/12306/blob/main/services/ticket-service/src/main/java/org/opengoofy/index12306/biz/ticketservice/service/impl/SeatServiceImpl.java#L110)

These issues point to various horizontal privilege escalation vulnerabilities, where users can perform actions on other users’ data based on information like order numbers, and also a business logic flaw in the seat locking mechanism.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@aibot88