Price Manipulation

Medium+100 XPA08:2021 Software and Data Integrity FailuresCWE-915

Mass AssignmentBusiness LogicE-Commerce

Scenario

Your e-commerce checkout API accepts an order object from the client that includes productId, quantity, and — dangerously — price. The order handler trusts the client-supplied price instead of looking up the authoritative value from the product catalog.

An attacker intercepts the checkout request and sets price to 0.01, purchasing any item for a fraction of a cent. The server dutifully calculates a total of 0.01 × quantity and charges accordingly.

Client-side price tampering costs businesses real revenue. Every major bug-bounty programme includes this class of vulnerability, and it has caused million-dollar losses at real retailers.

Your Tasks

Fix createOrder so that the unit price is always taken from the catalog, never from orderData. Throw 'Product not found' if the productId does not exist in the catalog.

Examples

Example 1 — Price manipulation blocked

createOrder('u1', { productId: 'p1', quantity: 1, price: 0.01 }, catalog)
// returns { unitPrice: 99.99, total: 99.99 }

Constraints

›Throw exactly 'Product not found' when productId is absent from the catalog
›Return { userId, productId, quantity, unitPrice, total } using the catalog price
›orderData.price must be ignored entirely

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/915.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run