Refund Exceeds Total

Easy+50 XPA04:2021 Insecure DesignCWE-840

Business LogicRefund Validation

Scenario

Your platform's refund service allows customers to request partial or full refunds on orders via processRefund(orderId, refundAmount, orderTotal).

The function currently performs no validation — an attacker can request a refund larger than the original order total, causing the platform to overpay, or a negative or zero refund amount.

This type of business logic flaw can be exploited to extract funds beyond what was paid, making it a serious financial risk.

Refund manipulation is a well-known payment fraud technique. Without server-side validation of refund bounds, attackers can drain platform balances through repeated over-refund requests.

Your Tasks

Throw 'Invalid refund amount' if refundAmount is less than or equal to zero.
Throw 'Refund exceeds order total' if refundAmount is greater than orderTotal.
Return { refunded: refundAmount, remaining: orderTotal - refundAmount } for valid inputs.

Examples

Example 1 — Refund larger than order (bug)

processRefund('ord-1', 200, 100)
// returns { refunded: 200, remaining: -100 } — overpaid!

Example 2 — Blocked (fix)

processRefund('ord-1', 200, 100)
// throws Error('Refund exceeds order total')

Constraints

›Validate zero/negative before checking against the order total.
›A refund equal to the full order total is valid (full refund).
›Do not modify the function signature.

Hint

References

https://owasp.org/www-project-top-ten/2021/A04_2021-Insecure_Design https://cheatsheetseries.owasp.org/cheatsheets/Business_Logic_Security_Cheat_Sheet.html https://cwe.mitre.org/data/definitions/840.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run