| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Business Logic — Infinite Money Loop via Gift Card + Coupon |
| Difficulty | Practitioner |
| Objective | Exploit a logic flaw in the purchasing workflow to buy the "Lightweight l33t leather jacket" |
Infinite Money Logic Flaw¶
I logged in as wiener:peter. The account page had a gift card redemption form, and the shop's newsletter signup offered a coupon:
SIGNUP30 — 30% off. The site also sells $10 gift cards. Buying one and redeeming it brought store credit back to $100.00.
Applying SIGNUP30 to a gift card purchase changed the math:
Gift Card $10.00 1
SIGNUP30 -$3.00
Total: $7.00
Redeeming the resulting code added $10.00 back to the account — net +$3 per cycle. SIGNUP30 has no use limit and no restriction on gift card purchases, so buying a $10 gift card for $7 and redeeming it for $10 is a $3 profit with no safeguard preventing infinite repetition.
Reaching $1337 from $100 at $3/cycle requires about 413 cycles — automation was needed. The full cycle per iteration:
1. POST /cart → productId=2&redir=PRODUCT&quantity=1
2. POST /cart/coupon → csrf=...&coupon=SIGNUP30
3. POST /cart/checkout → csrf=...
4. GET /cart/order-confirmation?order-confirmed=true (extract gift card code)
5. POST /gift-card → csrf=...&gift-card=<extracted code>
I set up a Burp session-handling macro covering all five steps. On the GET /cart/order-confirmation request I configured a custom parameter extraction to pull the gift card code from the response body; on the POST /gift-card request I configured it to consume that extracted value. Burp's macro with custom parameter extraction is the right tool for automating multi-step transactional flows where a dynamic value from one response needs to feed into a later request.
Testing the macro confirmed store credit increased on each run:
I sent any request to Intruder with null payloads and resource pool set to 1 concurrent request. Sequential execution is essential here — parallel requests would risk the gift card code from step 4 being consumed by a different cycle's step 5, or the coupon erroring on concurrent application:
After 200–300 iterations:
Store credit exceeded $1337. Added the jacket and placed the order:
Lab solved now we are rich :P