Challenge 6 – Coupon
One-time use coupons.Get extra rewards.
We all love coupons. Coupons help you get additional discounts or points. The only problem with them is that they can only be used once. Same is the scenario here. There is a one-time coupon which can only be used once by a customer.
Let us visualize the happy path with the help of a sequence diagram:
That is just the happy path for one user entering a valid coupon once. Let us reimagine the same scenario but with the user sending two requests at the same time with a valid coupon.
There are two conditions to be met for user to get credits from the coupon:
Coupon code should be valid
It should not have been used before
Let us see if the application is performing those checks:
Go to the Admin page
Click on create default users button
Navigate to the login page
Click on the first user button. This will fill in the user data for user Tom
Click on the Sign In button
Navigate to enter coupon page
Click on the Invalid token button on top. This will fill the coupon field with an invalid coupon code.
Click on the submit button
Note that the page is not accepting invalid coupons
Click on the valid token button on top. This will fill the coupon field with a valid coupon code.
Click on the submit button
You will see an increase in your reward points
You will also see you are our preferred customer message
Try repeating step number 10 and 11
You will see that the application is not accepting the same coupon anymore
We need to find a way to use the coupon code twice. How can we do that? What if we submit the valid coupon twice?
It’s time to slow down TimeGap Theory:
On your browser, navigate to the settings page
Change the time delay to 5 seconds
Click on the Save button
Now, TimeGap Theory will wait 5 seconds before every database write operation.
Preparation phase
Navigate to the Admin page
Click on the reset database button
Click on the create default users button
Open two browsers side by side (Use private/incognito window if you do not have two browsers)
On both the browsers:
Navigate to the login page
Click on the first user button on top. This will fill the user data for user Tom
Submit the form to log in as Tom
Navigate to the enter coupon page
Note down the current reward points
Alright, the preparation is done. Here comes the exploitation phase.
Exploitation phase
Click on the Submit button on the first browser
Go to the second browser as soon as you can
Click on the Submit button on the second browser
That’s it. Let us see the result:
Post-exploitation phase
Let us wait for both the browsers to complete the request
Check the rewards points on Tom’s account
You will see that you got more than 500 points with the help of same coupon
If you check your scores, you will see that you have got 100 points for solving the Coupon challenge
Don't forget to change the delay to 0 on the settings page.
What would be the business impact of such an attack? Depending on how the app is designed, there are several possibilities:
Users will use one-time tokens and coupons multiple times
Business can suffer from financial issues
Let us review what we did:
The enter coupon page limits the number of times one-time coupons can be used
You analyzed this behavior by trying to use same coupon multiple times
You slowed down the system and bypassed the business logic
Now you know how TOC/TOU security issues can affect one-time-use coupons and tokens
We are skipping the automation part for this chapter. The steps would be the same as the Buy Tickets challenge but with a slight change. Since you are trying to apply the coupon to one user account multiple times, you need to get two active sessions for the same user. This can be done by:
Navigating the login page on the first browser and logging in as Tom
Navigating the login page on the second browser and again logging in as Tom
Without creating two sessions, automation attempts would fail as the application will process requests originating from the same session one by one.
Last updated