Audit Field Tampering

Hard+200 XPA08:2021 Software and Data Integrity FailuresCWE-915

Mass AssignmentAudit IntegrityImpersonation

Scenario

Your platform creates posts and records who authored them and when. The createPost function takes postData from the client and merges it into the new post object, trusting that the client will only send title and content.

An attacker submits a post with 'authorId: admin' and 'createdAt: 2020-01-01', making it appear that an admin posted historical content. This poisons audit logs and can be used for social-engineering attacks.

Tampered audit trails undermine accountability and can be used to frame other users or manufacture false records. Regulators expect audit logs to be tamper-proof.

Your Tasks

Fix createPost so that authorId is always set to userId and createdAt is always set to '2026-01-01'. Any values in postData for these fields must be ignored.

Examples

Example 1 — Author spoofing blocked

createPost('alice', { title: 'Hi', content: 'x', authorId: 'admin' }, db)
// returns { authorId: 'alice', createdAt: '2026-01-01' }

Constraints

›Return { id, title, content, authorId, createdAt }
›authorId must always equal userId
›createdAt must always be '2026-01-01'
›id is 'post-' + db.length

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/915.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run