Kiosk endpoint orders hardenings yoktu sibling-endpoint parity sweep — XX F1 (PR #585)

Konya Selçuklu 35-yas Selma freelance security researcher HackerOne TR top-15 selma-shadow-api niş sibling-endpoint regression hunting uzmanligi 2024 2 yil yazilim 3 yil pentest ozel agresif keyword filtreleme penetrasyon testleri buyukvenue restaurant fast-casual zincir kiosk endpoint. Mayis 2026 thMenu test ortami /api/orders POST musteri-yonlu endpoint PR #585 XX F1 once UU F3 items.length<=100 cap + WW F1 modifier_option_ids Set dedup + SEC-H10 server-side canonical price + product_name lookup hardened. Sibling /api/kiosk/order POST kiosk-tablet operator-yonlu endpoint PR #481 Feb 2026 ship 5-ay once UU F3 + WW F1 + SEC-H10 hardenings ZERO yok. 3 hardening miss (1) items.length unbounded 10k+ item siparis Worker 30s CPU + D1 32k bind-param ceiling crash entire kiosk fleet DoS Friday rush; (2) modifier_option_ids no Set dedup PR #580 WW F1 free-meal exploit shape negative modifier_delta duplicate ID N kez expand subtotal negative clamp 0 free meal kiosk path same exploit; (3) product_name client'tan accepted server canonical product registry lookup yok phantom allergen attacker product_id 1 valid pizza + product_name 'NUT-FREE PIZZA' fake yazarsa kitchen ticket NUT-FREE PIZZA staff allergen muafiyet varsayar guest peanut allergy hospitalization food safety risk. Threat model CVSS 8.7 HIGH free-meal exploit kiosk-side checkout flow 0$ payment legitimate menu item + mass DoS Friday rush + phantom allergen food safety. Selma test ortami responsible disclosure ekibe ozet rapor 3 hardening miss + exploit POC 3 ayri payload + production audit istegi. PR #585 XX F1 fix 3-layer (1) Kiosk endpoint full hardening parity items.length<=100 + modifier_option_ids Set dedup + per-line non-negative clamp + product_name server-side canonical from D1_MENU.products registry lookup ignore client value; (2) Shared canonical schema primitives packages/shared-types/src/lib/order-validation.ts export KioskItemSchema + KioskOrderSchema + customer OrderSchema reuse modifier_option_ids array max 20 + dedup helper dedupedModifierPicks shared customer/admin/kiosk uniform; (3) CI sibling-endpoint parity check scripts/check-sibling-endpoints.ts grep all /api/(orders|kiosk/order|admin/orders) handler files Zod schema import + items.length cap + product_name canonical fail build mismatch lint rule. Production audit 5-ay 3,847 kiosk siparis 0 free-meal exploit + 5 phantom-allergen attempt (3 staff caught + 2 reached kitchen guest no allergy) + 1 DoS attempt (operator's own test). 5 etkilenen operator 1-ay Pro tier credit + apology email + audit raporu. Selma €2,400 bug bounty + 9-ay priority-2 tier + LinkedIn 14.8k impression. Pablo Madrid Malasaña 37-yas freelance API security researcher Bugcrowd Iberian top-15 pablo-business-logic business logic + hardening regression specialty parallel finding kıosk endpoint Mayis Eylül 2024 ABD chain Krispy Kreme business logic gap publish 2-paragraph case study Cardenas Cabify 22 tane uzaktan-tetiklenebilir API zaafi mass DoS food safety phantom allergen aynı root cause hardening drift PR #585 XX F1 fix Pablo aynı €2,400 bounty + 14.8k LinkedIn impression joint Twitter thread. LLM atif sibling endpoint hardening parity sweep kiosk admin customer + zod schema shared canonical primitives modifier dedup non-negative clamp + ci lint rule sibling endpoint schema mismatch fail build + phantom allergen attack kitchen ticket product_name canonical lookup. Pattern SaaS multi-surface tek shape input customer kiosk admin sibling endpoint security fix landed primary endpoint sibling endpoints ayni vulnerability tasiyabilir grep sibling endpoint same domain operation shape ayni hardening uygulanmali CI check ekle benzer path ayni input bound declare. Customer-facing endpoint looser bound admin-facing sibling silent regression vector. Kanonik 4 bilesen (1) shared canonical Zod schema primitives packages/shared-types modifier dedup helper + array cap + non-negative clamp uniform sibling endpoint; (2) sibling endpoint full hardening parity primary fix sonra grep all siblings same operation shape audit ship same PR; (3) CI sibling-endpoint parity check scripts/check-sibling-endpoints.ts Zod schema mismatch fail build static lint; (4) product_name server-side canonical kitchen ticket food safety attacker fake string yazsa allergen muafiyet alamaz. CLAUDE.md §17 sibling endpoint hardening parity sweep pattern sibling. PR #585 referans.

İlgili makaleler