Discount Percentage Validation

Easy+50 XPA04:2021 Insecure DesignCWE-840

Business LogicDiscount Validation

Scenario

Your checkout service applies percentage discounts to order prices using applyDiscount(originalPrice, discountPercent).

No bounds check is performed on discountPercent, so a negative value (e.g. -50) actually increases the price instead of reducing it, and a value above 100 makes the discounted price negative — effectively making the platform pay the attacker.

An attacker who can supply the discount percentage (e.g. via a tampered coupon code or API parameter) can exploit either edge to manipulate final payment amounts.

Percentage fields without bounds checks are a classic business logic vulnerability. They are easy to overlook during code review because the calculation formula looks correct — the bug is the missing validation, not the math.

Your Tasks

Fix applyDiscount to validate that discountPercent is between 0 and 100 inclusive.
Throw an error with message 'Invalid discount' if the value is below 0 or above 100.
Return originalPrice * (1 - discountPercent / 100) for valid inputs.

Examples

Example 1 — Negative discount increases price (bug)

applyDiscount(100, -50)
// returns 150 — price went up!

Example 2 — Blocked (fix)

applyDiscount(100, -50)
// throws Error('Invalid discount')

Constraints

›Throw exactly 'Invalid discount' — no other message.
›A discount of exactly 0 (no discount) must be accepted.
›A discount of exactly 100 (free) must be accepted.

Hint

References

https://owasp.org/www-project-top-ten/2021/A04_2021-Insecure_Design https://cheatsheetseries.owasp.org/cheatsheets/Business_Logic_Security_Cheat_Sheet.html https://cwe.mitre.org/data/definitions/840.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run