April 28, 2020

Playbook for web coupon and voucher code misuse

By venkat

Fraud investigation is a big job for the retail and e-commerce companies. Mass enumeration of coupon numbers, voucher codes, discount tokens, etc. is one of them.

Description

Identification of valid token codes providing some form of user benefit within the application. The benefit may be a cash alternative, a non-cash credit, a discount, or an opportunity such as access to a limited offer.

OTHER NAMES: Coupon guessing; Voucher, gift card and discount enumeration

SOURCE: https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf

Playbook

Web-Token-Cracking — Click for LIVE PREVIEW on Kanban Boards.

Mitigation

All the steps at https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf

References

Real attack instances

TagsCoupon guessing gift card and discount enumeration Voucher

About The Author

venkat

Venkat is founder of FlexibleIR. He brings 20 years of experience in building tools and products at Sun Microsystems, Intel, Novell, HP, Yahoo,Tesco and startups. He has developed test suites and frameworks for post silicon validation of the Xeon processor family (Fuzzing). He has worked deeply on UFS files system at SUN Microsystem. Was a security paranoid at Yahoo.