Flawed enforcement of business rules


This lab has a logic flaw in its purchasing workflow.

Reproduction and proof of concept

  1. Log in with wiener:peter and notice that there is a coupon code, NEWCUST5.

  2. At the bottom of the page, sign up to the newsletter. You receive another coupon code, SIGNUP30.

Business logic

  1. Add the leather jacket to your cart.

  2. Go to the checkout and apply both of the coupon codes to get a discount on your order.

  3. Try applying the codes more than once. Notice that if you enter the same code twice in a row, it is rejected because the coupon has already been applied. However, if you alternate between the two codes, you can bypass this control.

  4. Reuse the two codes enough times to reduce your order total to less than your remaining store credit. Complete the order to solve the lab.

Business logic


An attacker will need to log in and buy a “Lightweight l33t leather jacket” for a price way less than intended.