3 min read appsec

PortSwigger's "Flawed enforcement of business rules" Walkthrough

This is a writeup for the “flawed enforcement of business rules” lab from PortSwigger Academy. For this walkthrough, you’ll need a Portswigger Academy account.

Log in to your Academy account and then view the lab at https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-flawed-enforcement-of-business-rules. This is accessible from the “all labs” view or from the Business Logic Flaws page.

Challenge Information

Click the “Access the Lab” button and you will be taken to a temporary website that is created for your account. This will be in format https://<random string here>.web-security-academy.net/.

We once again need to buy a “l33t” jacket that costs $1337, when we only have $100 in credits.

Here’s the website:

We’ll first need to login. Then we can add the jacket to our cart, and go to the /cart page to check out. Since we only have $100, we won’t be able to Place Order successfully.

If we add the CUST5 coupon, we get a measly $5 off:

We’ll have to figure out another way to reduce the cost of our cart.

What Doesn’t Work

Trying the same CUST5 coupon repeatedly doesn’t work:

Guessing other valid coupons (CUST10, for example) doesn’t work either:

It turns out this coupon by itself doesn’t do anything. But if we sign up for the newsletter at the bottom of the homepage, we get a 30% off coupon. First, we’ll have to go to our account page and set an email address:

Then use this to get the coupon, SIGNUP30:

That gets us about $400 off our total, but it’s still not enough.

Signing up for the newsletter and using the 30% off on multiple items, then removing items in hopes that the original discount number (in absolute dollar value) will remain the same doesn’t work either. This idea came from PortSwigger’s business flaws page:

Lab Solution

As it turns out, what does work is alternating coupons. Apply a SIGNUP30 coupon for 30% off, then add a CUST5 coupon:

If we add another CUST5 coupon, we get an error:

But if we add a SIGNUP30, it’s successful:

We simply need to repeat this alternating pattern, and not submit any coupons twice in a row. Eventually, we will have enough of a discount that the item is free:

Then we can purchase it, and solve the lab:

The logic flaw likely came from assuming a customer would only apply one coupon, so checking the first (or latest) coupon for duplicates wouldn’t catch an alternating pattern like the one we used.