coupon-voucher-misuse
April 28, 2020

Playbook for web coupon and voucher code misuse

By venkat

Fraud investigation is a big job for the retail and e-commerce companies. Mass enumeration of coupon numbers, voucher codes, discount tokens, etc. is one of them.

Description

Identification of valid token codes providing some form of user benefit within the application. The benefit may be a cash alternative, a non-cash credit, a discount, or an opportunity such as access to a limited offer.

OTHER NAMES: Coupon guessing; Voucher, gift card and discount enumeration

SOURCE: https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf

Playbook

Mitigation

All the steps at https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf

References

Real attack instances