API Payments 05

This exercise covers how to abuse a shopping cart allowing users to apply a voucher.

< 1 Hr.
API Badge


In this challenge, your goal is to identify and exploit a vulnerability in the voucher management system of the application. You are provided with a voucher code, HACKTHEPLANET, which has a value of 20. The key to this challenge is to find a way to manipulate the discount stored in your signed session.

The process involves a user shopping on an online store, applying a voucher to lower the payment amount, and then proceeding through a payment gateway. When the voucher is applied, the session changes because the discount is stored in the session. To perform an attack, you must add items to your cart, apply the voucher multiple times while updating the session ID each time, and then complete the payment to retrieve the challenge key. The key aspect is to ensure the discount amount is always updated to the latest one in your session.

Want to learn more? Get started with PentesterLab Pro! GO PRO