OWASP TimeGap Theory Handbook
Search…
⌃K

Challenge 6 – Coupon

One-time use coupons.Get extra rewards.
We all love coupons. Coupons help you get additional discounts or points. The only problem with them is that they can only be used once. Same is the scenario here. There is a one-time coupon which can only be used once by a customer.
Let us visualize the happy path with the help of a sequence diagram:
A screenshot of a map Description automatically generated
That is just the happy path for one user entering a valid coupon once. Let us reimagine the same scenario but with the user sending two requests at the same time with a valid coupon.
A screenshot of a cell phone Description automatically generated
There are two conditions to be met for user to get credits from the coupon:
  1. 1.
    Coupon code should be valid
  2. 2.
    It should not have been used before
Let us see if the application is performing those checks:
  1. 1.
    Go to the Admin page
  2. 2.
    Click on create default users button
  3. 3.
    Navigate to the login page
  4. 4.
    Click on the first user button. This will fill in the user data for user Tom
  5. 5.
    Click on the Sign In button
  6. 6.
    Navigate to enter coupon page
  7. 7.
    Click on the Invalid token button on top. This will fill the coupon field with an invalid coupon code.
  8. 8.
    Click on the submit button
  9. 9.
    Note that the page is not accepting invalid coupons
  10. 10.
    Click on the valid token button on top. This will fill the coupon field with a valid coupon code.
  11. 11.
    Click on the submit button
  12. 12.
    You will see an increase in your reward points
  13. 13.
    You will also see you are our preferred customer message
  14. 14.
    Try repeating step number 10 and 11
  15. 15.
    You will see that the application is not accepting the same coupon anymore
We need to find a way to use the coupon code twice. How can we do that? What if we submit the valid coupon twice?
It’s time to slow down TimeGap Theory:
  1. 1.
    On your browser, navigate to the settings page
  2. 2.
    Change the time delay to 5 seconds
  3. 3.
    Click on the Save button
Now, TimeGap Theory will wait 5 seconds before every database write operation.
Preparation phase
  1. 1.
    Navigate to the Admin page
  2. 2.
    Click on the reset database button
  3. 3.
    Click on the create default users button
  4. 4.
    Open two browsers side by side (Use private/incognito window if you do not have two browsers)
  5. 5.
    On both the browsers:
    1. 1.
      Navigate to the login page
    2. 2.
      Click on the first user button on top. This will fill the user data for user Tom
    3. 3.
      Submit the form to log in as Tom
    4. 4.
      Navigate to the enter coupon page
    5. 5.
      Note down the current reward points
Alright, the preparation is done. Here comes the exploitation phase.
Exploitation phase
  1. 1.
    Click on the Submit button on the first browser
  2. 2.
    Go to the second browser as soon as you can
  3. 3.
    Click on the Submit button on the second browser
Icon Description automatically generated
That’s it. Let us see the result:
Post-exploitation phase
  1. 1.
    Let us wait for both the browsers to complete the request
  2. 2.
    Check the rewards points on Tom’s account
  3. 3.
    You will see that you got more than 500 points with the help of same coupon
  4. 4.
    If you check your scores, you will see that you have got 100 points for solving the Coupon challenge
  5. 5.
    Don't forget to change the delay to 0 on the settings page.
What would be the business impact of such an attack? Depending on how the app is designed, there are several possibilities:
  1. 1.
    Users will use one-time tokens and coupons multiple times
  2. 2.
    Business can suffer from financial issues
Let us review what we did:
  1. 1.
    The enter coupon page limits the number of times one-time coupons can be used
  2. 2.
    You analyzed this behavior by trying to use same coupon multiple times
  3. 3.
    You slowed down the system and bypassed the business logic
  4. 4.
    Now you know how TOC/TOU security issues can affect one-time-use coupons and tokens
We are skipping the automation part for this chapter. The steps would be the same as the Buy Tickets challenge but with a slight change. Since you are trying to apply the coupon to one user account multiple times, you need to get two active sessions for the same user. This can be done by:
  1. 1.
    Navigating the login page on the first browser and logging in as Tom
  2. 2.
    Navigating the login page on the second browser and again logging in as Tom
Without creating two sessions, automation attempts would fail as the application will process requests originating from the same session one by one.
Previous
Challenge 5 – Tickets
Next
Challenge 7 – Ratings
Last modified 2yr ago