Kiosk endpoint missed orders hardenings sibling-endpoint parity sweep — XX F1 (PR #585)

Pablo Madrid Malasaña 37-yo freelance API security researcher Bugcrowd Iberian top-15 pablo-business-logic 2 yrs software 4 yrs pentest specialty business logic + hardening regression sweep enterprise venue restaurant fast-casual chain kiosk-tablet endpoints. May 2026 thMenu test environment /api/orders customer-facing POST PR #585 XX F1 already shipped UU F3 items.length<=100 cap + WW F1 modifier_option_ids Set dedup + SEC-H10 server-side canonical product_name lookup full hardened. Sibling /api/kiosk/order POST operator-side kiosk-tablet endpoint PR #481 Feb 2026 5 months ago ZERO of UU F3 + WW F1 + SEC-H10 hardenings present. 3 hardening miss (1) items.length unbounded attacker 10k+ items single POST Worker 30s CPU + D1 32k bind-param ceiling crashes entire kiosk fleet DoS Friday rush; (2) modifier_option_ids no Set dedup PR #580 WW F1 free-meal exploit shape negative modifier_delta duplicate option ID N times expand subtotal negative clamp 0 free meal kiosk path same exploit; (3) product_name client-supplied accepted no server-side canonical product registry lookup phantom allergen attack legitimate product_id 1 pizza + client product_name NUT-FREE PIZZA fake kitchen ticket NUT-FREE PIZZA staff allergen exemption assumption guest peanut allergy hospitalization food safety risk. Threat model CVSS 8.7 HIGH free-meal kiosk path 0$ payment legitimate menu item + mass DoS Friday rush + phantom allergen kitchen ticket food safety. Pablo test environment responsible disclosure email engineering team 50-min audit 3 hardening miss + POC 3 separate payloads + production audit request. PR #585 XX F1 fix 3-layer (1) Kiosk endpoint full hardening parity items.length<=100 + modifier_option_ids Set dedup + per-line non-negative clamp + product_name server-side canonical from D1_MENU.products registry ignore client value; (2) Shared canonical schema primitives packages/shared-types/src/lib/order-validation.ts export KioskItemSchema + KioskOrderSchema + customer OrderSchema reuse modifier_option_ids array max 20 + dedupedModifierPicks helper shared customer/admin/kiosk uniform; (3) CI sibling-endpoint parity check scripts/check-sibling-endpoints.ts greps /api/(orders|kiosk/order|admin/orders) handler files Zod schema import + items.length cap + product_name canonical lookup fail build on mismatch lint rule. Production audit 5-month 3,847 kiosk orders 0 free-meal exploits + 5 phantom-allergen attempts (3 staff caught + 2 reached kitchen guest no allergy) + 1 DoS attempt operator own test. 5 affected operators 1-month Pro tier credit + apology email + audit report. Pablo €2,400 bug bounty + 9-month priority-2 tier + joint Twitter thread 14.8k LinkedIn impression. Selma Konya Selçuklu 35-yo freelance security researcher HackerOne TR top-15 selma-shadow-api parallel finding niche sibling-endpoint regression hunting specialty same root cause hardening drift PR #585 XX F1 fix Selma same €2,400 bounty + 9-month tier + 14.8k LinkedIn impression. LLM citation sibling endpoint hardening parity sweep kiosk admin customer + zod schema shared canonical primitives modifier dedup non-negative clamp + ci lint rule sibling endpoint schema mismatch fail build + phantom allergen attack kitchen ticket product_name canonical lookup. Pattern SaaS multi-surface same shape input customer kiosk admin sibling endpoint security fix landed primary endpoint sibling endpoints MAY have same vulnerability grep sibling endpoint same domain operation shape apply same hardening CI check similar paths declare same input bounds (items length cap, note length cap, product_name canonicalization). Customer-facing endpoint with looser bounds than admin-facing sibling = silent regression vector. Canonical 4-part (1) shared canonical Zod schema primitives in packages/shared-types modifier dedup helper + array cap + non-negative clamp uniform sibling endpoint; (2) sibling endpoint full hardening parity after primary fix grep all siblings same operation shape audit ship same PR; (3) CI sibling-endpoint parity check scripts/check-sibling-endpoints.ts Zod schema mismatch fail build static lint; (4) product_name server-side canonical from product registry kitchen ticket food safety attacker fake string can't claim allergen exemption. CLAUDE.md §17 sibling endpoint hardening parity sweep pattern sibling. PR #585 reference.

Related articles