Challenge:
Name: Forged Coupon
Description: Forge a coupon code that gives you a discount of at least 80%.
Difficulty: 6 star
Category: Cryptographic Issues
Expanded Description: https://pwning.owasp-juice.shop/part2/cryptographic-issues.html
Tools used:
Burp Suite, FoxyProxy
Resources used:
Methodology:
In the Forgotten Sales Backup challenge we found a list of gibberish strings in a text file.
They appear to have some similarities.
One of the things I learned when going through each of the libraries during the Vulnerable Library challenge was that Z85 encoding is used on this site.
After a quick Google search, I found an online encoder for Z85. Using that online encoder/decoder, I found that each coupon code was simply a formatted string which had been encoded to create coupons.
Using the “MONTHYEAR-PERCENT” format, I then crafted a coupon code intended to give me an 80% discount during the (then) current month.
Now it’s just a matter of buying an item and attempting to redeem the forged discount code. Because I had just read a recipe for a Banana Daiquiri, and because I’m a huge Futurama geek, I opted to buy banana juice as Bender.
Now just add a coupon and click “Redeem”.
Prevention and Mitigation Strategies:
Lessons Learned and Things Worth Mentioning:
It’s definitely beating a dead horse at this point, but gathering all of the information I could during previous challenges made this 6 star feel more like a 2 star. I knew the encoding algorithm, the coupon code format, and that the coupon redemption form is authenticated on the client side from previous challenges, so by incorporating all of those data points this only took about 5 minutes to complete.
Curiosity Kills Colby 