The vulnerability exists due to the lack of rate limiting on the coupon code input field. This allowed me to perform brute force attack on the coupon codes and obtain active coupons.
I have found that for employees the website issued some coupons (1000+) which were able to reduce the price of $100 (8,184INR) to absolutely zero money.
When I tried to buy something from the website for the first time there was an option to apply coupons, I did some googling and found some used coupons and the syntax was “Coupon-Company-XXXXX”
So I quickly applied a random coupon and intercepted the request in Burpsuite, and to my surprise the request’s response was :
HTTP/1.1 422 Unprocessable Entity
Content-Type: application/json
Connection: close
Access-Control-Allow-Origin: https://www.example.com
Vary: Origin
Access-Control-Allow-Credentials: true
X-Application-Context: APIGateway:prod-k8s:8080
CF-Cache-Status: DYNAMIC
Set-Cookie:
Server: cloudflare
CF-RAY:
Content-Length: {"timestamp":16809496232323,"status":422,"error":"Unprocessable Entity","message":"Coupon is not published yet"}
“XXXXX” In the coupon is nothing but just some random alphabets
So I invested some time thinking what to do next then I came up with an idea, I can just make 5 alphabet brute force dictionary by using crunch.
So I did all this and created a custom wordlist which has 400000+ combinations (words), then I forwarded the request to intruder and ran it with my custom wordlist, Yes We got it, It worked.