Subscription Tier Bypass

Hard+200 XPA08:2021 Software and Data Integrity FailuresCWE-915

Mass AssignmentBusiness LogicSubscription

Scenario

Your SaaS product sells subscription tiers — free, pro, and enterprise. Users can update their subscription settings (payment method, auto-renew). The update handler, however, passes the full request body to the data layer.

An attacker intercepts the settings-update request and adds 'tier: enterprise' and 'expiresAt: 2099-12-31', giving themselves a permanent enterprise subscription at no cost.

Subscription tier bypass directly impacts revenue. An attacker can unlock enterprise features worth thousands of dollars per month through a single tampered API call.

Your Tasks

Fix updateSubscription so that only 'paymentMethod' and 'autoRenew' can be updated. The 'tier' and 'expiresAt' fields must be ignored.

Examples

Example 1 — Tier escalation blocked

updateSubscription('u1', { tier: 'enterprise' }, subs)
// returns subscription with tier still 'free'

Constraints

›Throw exactly 'Not found' when no subscription exists for userId
›Return the updated subscription object
›tier and expiresAt must never change via this function

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/915.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run