Field	Detail
Platform	PortSwigger Web Security Academy
Type	Business Logic — Coupon Stacking / Repeated Application
Difficulty	Apprentice
Objective	Exploit a logic flaw in the purchasing workflow to buy the "Lightweight l33t leather jacket"

Flawed Enforcement of Business Rules

I logged in as wiener:peter. The page immediately offered a coupon:

New customers use code at checkout: NEWCUST5

Signing up for the newsletter at the bottom of the shop page:

Two coupons: NEWCUST5 and SIGNUP30. I added the jacket to the cart:

Applied both coupons:

Trying SIGNUP30 again returned "Coupon already applied."

Trying NEWCUST5 — same result.

Then trying SIGNUP30 again after that:

302 Found — it went through. The "already applied" check only prevents applying the exact same coupon consecutively — it doesn't track whether a coupon has been used at all across the session, only whether it was the most recent one applied. Each code sees the other as the "last applied" one, so neither ever triggers the block a second time. Business rule enforcement needs to check the full set of applied codes: "can this code be applied more than once ever" is a different question from "was this code the last one applied."

I alternated between the two codes until the total hit $0.00:

Code       Reduction
NEWCUST5   -$5.00
SIGNUP30   -$401.10
NEWCUST5   -$5.00
SIGNUP30   -$401.10
NEWCUST5   -$5.00
SIGNUP30   -$401.10
NEWCUST5   -$5.00
SIGNUP30   -$401.10
NEWCUST5   -$5.00
SIGNUP30   -$401.10
Total:     $0.00

Placing the order:

And lab solved

Resources

• PortSwigger — Flawed enforcement of business rules