Flawed enforcement of business rules
We have to login using the following credentials:
Username | Password |
---|---|
wiener | peter |
At the top of the page, we an see the following code:
NEWCUST5
If we scroll to the bottom, there is a newsletter that we can sign up for.
Once we signup for the newsletter, we get another code:
SIGNUP30
Now, all we have to do is add the "Lightweight l33t leather jacket" and apply the coupons in an alternating manner.
This works because the server checks if the coupon is not applied right after itself but does not check if it is applied after another coupon.
We have solved the lab.