Flawed enforcement of business rules | Dec 19, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: Flawed enforcement of business rules! Without further ado, let’s dive in.

This lab has a logic flaw in its purchasing workflow. To solve the lab, exploit this flaw to buy a “Lightweight l33t leather jacket”.

You can log in to your own account using the following credentials: wiener:peter

Home page:

Login as user wiener:

In here, we can see that there is a code: NEWCUST5.

Let’s try to buy the leather jacket:

Then go to /cart page:

Now, let’s try to apply the NEWCUST5 coupon:

Now the total price is reduced by 5 dollars!

Hmm… What if we can apply infinite amount of that coupon??

Well, we can’t do that. Let’s remove that item from our cart.

After poking around the web site, I found that there is a newsletter subscription:

Let’s try to sign up!

We have 1 more coupon! SIGNUP30

Hmm… Let’s add the leather jacket to our cart, and test the coupon again:

Again, let’s try to apply the coupon again:

Wait what? We can apply duplicate coupons!**

Let’s apply those coupons until the total price is below $100.00!

Let’s click the Place order button!

We did it!