Bulk Operation IDOR

Hard+200 XPA01:2021 Broken Access ControlCWE-639

BOLAIDORAuthorizationBulk Operations

Scenario

An order management API exposes a bulk delete endpoint that accepts an array of order IDs. The handler deletes every ID in the list in a single operation.

The current implementation does not verify ownership for each order in the batch. An attacker can mix their own order IDs with IDs belonging to other users.

A single malicious request can silently delete other customers' orders by including foreign IDs alongside legitimate ones.

Bulk endpoints amplify IDOR risk. A single missing per-item ownership check can allow mass deletion or exfiltration of resources belonging to other users in one API call.

Your Tasks

Fix deleteOrders so it checks ownership for every order ID in the batch before deleting anything.
Throw 'Forbidden' if any order in the list does not belong to the requesting user.
Throw 'Not found' if any order ID does not exist.
Return the array of deleted order IDs on success.

Examples

Example 1 — Blocked — mixed owned/unowned IDs

deleteOrders('alice', ['order-alice-1', 'order-bob-1'], db)
// order-bob-1 belongs to bob
// → throws Error('Forbidden')

Example 2 — Allowed — all owned IDs

deleteOrders('alice', ['order-alice-1', 'order-alice-2'], db)
// → returns ['order-alice-1', 'order-alice-2']

Constraints

›Only edit the function body — do not change the function signature.
›Throw 'Forbidden' or 'Not found' before deleting anything — it must be atomic.
›An empty orderIds array should return an empty array without error.

Hint

References

CWE-639: Authorization Bypass Through User-Controlled Key OWASP API Security Top 10 — API1:2023 Broken Object Level Authorization OWASP API Security Cheat Sheet

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run