Skip to content
Field Detail
Platform PortSwigger Web Security Academy
Type Business Logic — Infinite Money Loop via Gift Card + Coupon
Difficulty Practitioner
Objective Exploit a logic flaw in the purchasing workflow to buy the "Lightweight l33t leather jacket"

Infinite Money Logic Flaw

I logged in as wiener:peter. The account page had a gift card redemption form, and the shop's newsletter signup offered a coupon:

Screenshot
Screenshot
Screenshot

SIGNUP30 — 30% off. The site also sells $10 gift cards. Buying one and redeeming it brought store credit back to $100.00.

Screenshot
Screenshot
Screenshot

Applying SIGNUP30 to a gift card purchase changed the math:

Gift Card   $10.00  1
SIGNUP30    -$3.00
Total:      $7.00

Redeeming the resulting code added $10.00 back to the account — net +$3 per cycle. SIGNUP30 has no use limit and no restriction on gift card purchases, so buying a $10 gift card for $7 and redeeming it for $10 is a $3 profit with no safeguard preventing infinite repetition.

Screenshot
Screenshot

Reaching $1337 from $100 at $3/cycle requires about 413 cycles — automation was needed. The full cycle per iteration:

1. POST /cart             → productId=2&redir=PRODUCT&quantity=1
2. POST /cart/coupon      → csrf=...&coupon=SIGNUP30
3. POST /cart/checkout    → csrf=...
4. GET /cart/order-confirmation?order-confirmed=true  (extract gift card code)
5. POST /gift-card        → csrf=...&gift-card=<extracted code>

I set up a Burp session-handling macro covering all five steps. On the GET /cart/order-confirmation request I configured a custom parameter extraction to pull the gift card code from the response body; on the POST /gift-card request I configured it to consume that extracted value. Burp's macro with custom parameter extraction is the right tool for automating multi-step transactional flows where a dynamic value from one response needs to feed into a later request.

Screenshot
Screenshot

Testing the macro confirmed store credit increased on each run:

Screenshot
Screenshot

I sent any request to Intruder with null payloads and resource pool set to 1 concurrent request. Sequential execution is essential here — parallel requests would risk the gift card code from step 4 being consumed by a different cycle's step 5, or the coupon erroring on concurrent application:

Screenshot

After 200–300 iterations:

Screenshot

Store credit exceeded $1337. Added the jacket and placed the order:

Screenshot

Lab solved now we are rich :P

Resources