Horizontal overreach

### Description
Several horizontal missing user check are founded in current codebase

### Attack Vector

<img width="916" alt="Image" src="https://github.com/user-attachments/assets/bc821047-d4d9-481c-9d91-04bb17c9f5d0" />
<img width="783" alt="Image" src="https://github.com/user-attachments/assets/1094352d-5418-4bd6-8b90-dbb8b81910c5" />
even though the login user is different, we still can utilise Attacker B to query the order owned by Victim A with the orderSn parameters.
The other vulnerabilities share the same attack Vector except the last bussiness logic vulnerability. 

<img width="770" alt="Image" src="https://github.com/user-attachments/assets/a31a2029-0d96-41d8-83b5-d80354306722" />
there is no limitation for the user to occupy the seats, so one logged user can occupy all the seats if the attacker want. 

### Details	 
	3.	Horizontal Privilege Escalation: It is possible to query any user’s order based on the order number.	•	[Link to code](https://gitee.com/nageoffer/12306/blob/main/services/order-service/src/main/java/org/opengoofy/index12306/biz/orderservice/service/impl/OrderServiceImpl.java#L92)	2.	Horizontal Privilege Escalation: It is possible to close any user’s order based on the order number.
	•	[Link to code](https://gitee.com/nageoffer/12306/blob/main/services/order-service/src/main/java/org/opengoofy/index12306/biz/orderservice/service/impl/OrderServiceImpl.java#L194)
	3.	Horizontal Privilege Escalation: It is possible to close any user’s order based on the order number.
	•	[Link to code](https://gitee.com/nageoffer/12306/blob/main/services/order-service/src/main/java/org/opengoofy/index12306/biz/orderservice/service/impl/OrderServiceImpl.java#L209)
	4.	Horizontal Privilege Escalation: It is possible to reverse any user’s order based on the order number.
	•	[Link to code](https://gitee.com/nageoffer/12306/blob/main/services/order-service/src/main/java/org/opengoofy/index12306/biz/orderservice/service/impl/OrderServiceImpl.java#L247)
	5.	Horizontal Privilege Escalation: It is possible to view any sub-order based on the order number.
	•	[Link to code](https://gitee.com/nageoffer/12306/blob/main/services/order-service/src/main/java/org/opengoofy/index12306/biz/orderservice/service/impl/OrderItemServiceImpl.java#L105)
	6.	Business Logic Vulnerability: There is no limit on locking any ticket seat multiple times.
	•	[Link to code](https://gitee.com/nageoffer/12306/blob/main/services/ticket-service/src/main/java/org/opengoofy/index12306/biz/ticketservice/service/impl/SeatServiceImpl.java#L110)

These issues point to various horizontal privilege escalation vulnerabilities, where users can perform actions on other users’ data based on information like order numbers, and also a business logic flaw in the seat locking mechanism.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Horizontal overreach #11

Description

Attack Vector

Details

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Horizontal overreach #11

Description

Description

Attack Vector

Details

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions