In the world of online shopping, promo codes are a popular method for consumers to access discounts, special offers, and free products. However, when the security behind these promo codes is compromised, it can lead to major vulnerabilities, resulting in significant financial loss for businesses. This article highlights an issue discovered in a promotional code verification mechanism that allowed attackers to bypass payment, obtaining products for free.

The target online store was a e-commerce platform that allows users to purchase a wide variety of products, ranging from tech gadgets to lifestyle items. In addition, the platform runs promotional campaigns, providing users with discount codes and special offers. These promos are a key part of the store’s marketing strategy, enabling customers to access exclusive deals and incentives, such as discounted purchases. However, the flaw in the promo code verification system presented a significant vulnerability that could be exploited by an attacker.

The vulnerability lies in the store’s promo code verification mechanism, which allowed attackers to exploit the system by brute-forcing the numeric part of the promo code. The promo codes followed a predictable format, with a fixed alphabetic prefix like PROMO123456. The verification process only checked the validity of the numeric part ‘123456’, leaving the alphabetic prefix ‘PROMO’ static and vulnerable to manipulation. The vulnerable POST request to redeem the promo codes was:

POST /v2/rest/shoppingcarts/ID/promocodes/ HTTP/2
Host: api.targetstore.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
X-Authorization: VALUE
Content-Length: 15
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Te: trailers
{"Code":"PROMO123456"}

By systematically iterating through possible numeric values using tools like Burp Suite’s Intruder, attackers were able to generate valid promo codes, causing the payment amount to be reduced to zero. This flaw allowed for the acquisition of products without any charge, effectively exploiting the promo code system to get free items from the store.

The above image shows a lot of 200 status code responses, meaning the promo codes were successfully identified via brute-forcing. This indicates that the server did not implement proper validation and rate-limiting, allowing attackers to systematically test a range of values until valid codes were discovered, ultimately granting them unauthorized access to promotional discounts on various items.

To wrap up, this attack highlights a significant weakness in the handling of promo codes, underscoring the need for security controls to prevent such exploitation. Without these safeguards, attackers can easily exploit weak systems to gain unauthorized benefits. If you enjoyed this report and would like to stay updated with my work, don’t forget to follow me on Twitter and LinkedIn!