Discount Code Stacking

Medium+100 XPA04:2021 Insecure DesignCWE-840

Business LogicCoupon Abuse

Scenario

Your checkout service allows customers to apply multiple discount codes to an order, each reducing the price by a set percentage.

The applyDiscountCodes function applies all supplied codes additively without checking whether the combined discount exceeds 100%, allowing an attacker to stack codes until the order total becomes zero or negative.

By submitting a carefully chosen set of duplicate or complementary codes, an attacker can obtain products for free or force the platform into a negative-balance transaction.

Coupon stacking attacks are regularly used to obtain goods for free on e-commerce platforms. A missing aggregate check is all an attacker needs — even if each individual code is perfectly valid.

Your Tasks

Fix applyDiscountCodes to sum all applicable discounts and validate the total before applying.
Throw 'Discount stack limit exceeded' if the combined discount percentage is greater than 100.
Return price * (1 - totalDiscount / 100) for valid discount combinations.

Examples

Example 1 — Stacking to free (bug)

applyDiscountCodes(100, ['SAVE70','SAVE70'], validCodes)
// returns -40 — price went negative!

Example 2 — Blocked (fix)

applyDiscountCodes(100, ['SAVE70','SAVE70'], validCodes)
// throws Error('Discount stack limit exceeded')

Constraints

›Throw exactly 'Discount stack limit exceeded' — no other message.
›Unknown codes should be ignored (contribute 0% discount) rather than throwing.
›A total discount of exactly 100 must be accepted (100% off is valid).

Hint

References

https://owasp.org/www-project-top-ten/2021/A04_2021-Insecure_Design https://cheatsheetseries.owasp.org/cheatsheets/Business_Logic_Security_Cheat_Sheet.html https://cwe.mitre.org/data/definitions/840.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run