Flawed enforcement of business rules
This lab has a logic flaw in its purchasing workflow.
Reproduction and proof of concept
Log in with
wiener:peterand notice that there is a coupon code,
At the bottom of the page, sign up to the newsletter. You receive another coupon code,
Add the leather jacket to your cart.
Go to the checkout and apply both of the coupon codes to get a discount on your order.
Try applying the codes more than once. Notice that if you enter the same code twice in a row, it is rejected because the coupon has already been applied. However, if you alternate between the two codes, you can bypass this control.
Reuse the two codes enough times to reduce your order total to less than your remaining store credit. Complete the order to solve the lab.
An attacker will need to log in and buy a “Lightweight l33t leather jacket” for a price way less than intended.