Expected Findings
- Order IDs are enumerable and return other customers' data.
- Coupon and total calculations trust client-supplied fields.
- Email validation is only a superficial frontend check.
Checkout Flow
Ecommerce Advanced
The checkout script trusts client-calculated totals, weakly validates contact fields, and lets anyone pull order details by ID.
Primary Flows
- Checkout endpoint POST email and tampered total
- Coupon endpoint Arbitrary discount application
- Other customer order Order BOLA
Signals
Validation
if (email.includes("@")) submitCheckout(totalFromDOM)