akto icon indicating copy to clipboard operation
akto copied to clipboard

Published 20 hours ago verified publisher icon akto-api-security

⛏️ Write a test to check if a user can redeem the same coupon code multiple times

Open aktoboy opened this issue 1 year ago • 16 comments

💭 Introduction: We want to test whether an attacker can redeem the same coupon multiple times by exploiting race condition vulnerability.

🎯 Requirements:

  1. Filters - This test should run on apis which are used to redeem coupons. You can choose an API that has a query-param named "coupon".

  2. Execute - Re-run the same request without any changes

  3. Validate - If we get 90% response match, then it is vulnerable

The test should correctly detect whether the api is vulnerable to race condition.

✅ Task summary:

  • [ ] Ask to be assigned to the issue.
  • [ ] Wait to be assigned. We will try to assign in less than 2 hours.
  • [ ] Signup for Akto
  • [ ] Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
  • [ ] Submit both the PR here.

📚 Reading You can find a detailed documentation of test editor rules here Find 100+ examples of YAML tests here

🙋🏼‍♂️ Questions: If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

aktoboy avatar Mar 07 '23 06:03 aktoboy

@aktoboy I want to work on this issue please assign it to me.

roshhni97 avatar Mar 14 '23 05:03 roshhni97

Thanks for your interest 🎉

Assigning to you! Happy hackfesting 🥳

Ankita28g avatar Mar 14 '23 10:03 Ankita28g

Hey @Roshani9731, let me know if you need any help with this issue.

aktoboy avatar Mar 17 '23 05:03 aktoboy

Hi @Roshani9731 do you need any help with this?

Ankita28g avatar Mar 18 '23 11:03 Ankita28g

Hi @Roshani9731 are you still working on this?

Ankita28g avatar Mar 27 '23 13:03 Ankita28g

Hi @Roshani9731 thanks for your submission in Hackfest. 🔥 We are reviewing your work. Do these two below:

  1. Join this group on discord for discussions around prizes? 🚀 🏆
  2. Please fill this form your PR to be considered for prizes!

Ankita28g avatar Apr 11 '23 09:04 Ankita28g

@ankush-jain-akto - I can work on this test. Could you please assign the same to me.

harshalkh avatar Oct 13 '23 15:10 harshalkh

@Ankita28g @ankush-jain-akto hii there! i want to work on the test to check if a user can redeem the same coupon code multiple times #175. could you assign me this issue.

Anurag-space avatar Oct 14 '23 19:10 Anurag-space

@Ankita28g @ankush-jain-akto I have raised a PR for this one. Please review and let me know if any suggestions/changes. https://github.com/akto-api-security/tests-library/pull/21

harshalkh avatar Oct 17 '23 02:10 harshalkh

Hey @Ankita28g @ankush-jain-akto !! Can you please assign me this issue ?? I would love to contribute to it.

SanchitMahajan236 avatar Oct 18 '23 20:10 SanchitMahajan236

@harshalkh your YAML seems to be invalid. Logic is correct but please run the template on some valid endpoint before you make a PR.

avneesh-akto avatar Oct 19 '23 06:10 avneesh-akto

@harshalkh your YAML seems to be invalid. Logic is correct but please run the template on some valid endpoint before you make a PR.

@avneesh-akto - i have made changes and tested on Test editor. please check now. https://github.com/akto-api-security/tests-library/pull/21

harshalkh avatar Oct 20 '23 10:10 harshalkh

Hello @harshalkh , could you please make a minor adjustment? Instead of solely searching for the coupon in the query parameters, could you also check for it in the request body? Thank you! Rest looks good to me

avneesh-akto avatar Oct 22 '23 14:10 avneesh-akto

Also change target branch to develop instead of master

avneesh-akto avatar Oct 22 '23 14:10 avneesh-akto

Also change target branch to develop instead of master

@avneesh-akto - requested changes done.. akto-api-security/tests-library#29

Also pls assign this issue to me.

harshalkh avatar Oct 24 '23 13:10 harshalkh

Looks good @harshalkh.

avneesh-akto avatar Oct 27 '23 10:10 avneesh-akto