BOLA (IDOR) on Order Details
TaintedPort
Vuln ID
TP-017
Title
BOLA (IDOR) on Order Details
Severity
high
Type
IDOR
HTTP Method
GET
URL
/orders/:id
Parameter
id
Filename
-
Code Location
backend/api/models/Order.php line 104
Description
The order detail endpoint does not verify that the authenticated user owns the order. Any authenticated user can view any order by guessing or enumerating order IDs.
Proof of Concept
GET /orders/1 as any authenticated user (even non-owner).Remediation
Add user ownership check: WHERE o.id = :id AND o.user_id = :user_id.