Negative Quantity Exploit

Easy+50 XPA04:2021 Insecure DesignCWE-840

Business LogicQuantity Validation

Scenario

Your e-commerce platform calculates an order total by summing quantity * price for each line item.

The calculateOrderTotal function performs no validation on quantities, allowing an attacker to submit a negative quantity for an expensive item to reduce — or even negate — the total cost.

In the worst case, an attacker's cart yields a negative total, meaning the platform would effectively pay the attacker upon checkout.

Negative quantity attacks have cost real businesses significant money. Input validation at the business logic layer is the only reliable defence — server-side validation cannot be skipped even when the UI prevents negative quantities.

Your Tasks

Fix calculateOrderTotal to validate that every item's quantity is a positive integer.
Throw an error with message 'Invalid quantity' if any item has a quantity of zero or less.
Return the correct numeric total for valid carts.

Examples

Example 1 — Negative quantity exploit (bug)

calculateOrderTotal([{productId:'p1',quantity:-1,price:100},{productId:'p2',quantity:1,price:50}])
// returns -50 — attacker reduces total!

Example 2 — Blocked (fix)

calculateOrderTotal([{productId:'p1',quantity:-1,price:100}])
// throws Error('Invalid quantity')

Constraints

›Throw exactly 'Invalid quantity' — no other message.
›An empty cart (no items) is valid and should return 0.
›Do not modify the function signature.

Hint

References

https://owasp.org/www-project-top-ten/2021/A04_2021-Insecure_Design https://cheatsheetseries.owasp.org/cheatsheets/Business_Logic_Security_Cheat_Sheet.html https://cwe.mitre.org/data/definitions/840.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run