- Class: Broken Object Level Authorization (BOLA)
- Severity: High
- CVSS: 7.5
- Endpoint:
GET /rest/basket/{id}
Root Cause: The endpoint authenticates the request via JWT but never validates that the requested basket ID belongs to the authenticated user. Server blindly trusts the client-supplied path parameter.
Steps to Reproduce:
- Login as User1, capture JWT token — note
bid:6in response - Send
GET /rest/basket/6— confirm own basket access - Modify request to
GET /rest/basket/2
- Observe 200 OK returning another user's basket data.
Proof of Concept: Paste your actual requests from screenshots 2, 3 and response from screenshot 4.
Business Impact: Horizontal privilege escalation allowing any authenticated user to enumerate and access other users' basket data including purchase history and personal information.
Remediation: Validate that the requested basket ID matches the authenticated user's ID server-side before returning data.