Hacking OWASP’s Juice Shop Pt. 47: Forged Coupon


Name:  Forged Coupon

Description: Forge a coupon code that gives you a discount of at least 80%.

Difficulty: 6 star

Category: Cryptographic Issues

Expanded Description: https://pwning.owasp-juice.shop/part2/cryptographic-issues.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

Z85 Encoder

Vulnerable Library

Forgotten Sales Backup


In the Forgotten Sales Backup challenge we found a list of gibberish strings in a text file.

They appear to have some similarities.

One of the things I learned when going through each of the libraries during the Vulnerable Library challenge was that Z85 encoding is used on this site.

"sequelize • 
"serve-index": "-1.9" , 
"socket . ion : 
"sqlite3 • " 
"Z85". -0.0" 
"devDependencies " : 

After a quick Google search, I found an online encoder for Z85. Using that online encoder/decoder, I found that each coupon code was simply a formatted string which had been encoded to create coupons.

Using the “MONTHYEAR-PERCENT” format, I then crafted a coupon code intended to give me an 80% discount during the (then) current month.


Now it’s just a matter of buying an item and attempting to redeem the forged discount code. Because I had just read a recipe for a Banana Daiquiri, and because I’m a huge Futurama geek, I opted to buy banana juice as Bender.

Your Basket (bender@juice-sh.op) 
Banana Juice (1000ml)
This may be the end of the Banana Daiquiri as we know it!

Now just add a coupon and click “Redeem”.

My Payment Options 
Add new card 
Pay using wallet 
Add a coupon 
Add a credit or debit card 
Wallet Balance 
Add a coupon code to receive discounts 
Need a coupon code? Follow us on Twitter or Facebook for monthly coupons and other spam! 
Other payment options 
You can review this order before it is finalized. 
> Continue
You successfully solved a challenge: Forged Coupon (Forge a coupon code that gives you a discount of at least 80%.)

Prevention and Mitigation Strategies:

OWASP Mitigation Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

It’s definitely beating a dead horse at this point, but gathering all of the information I could during previous challenges made this 6 star feel more like a 2 star. I knew the encoding algorithm, the coupon code format, and that the coupon redemption form is authenticated on the client side from previous challenges, so by incorporating all of those data points this only took about 5 minutes to complete.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s