Coupon Replay Prevention

Medium+100 XPA04:2021 Insecure DesignCWE-840

Business LogicReplay AttackCoupon

Scenario

Your e-commerce platform allows customers to redeem discount coupons at checkout. Each redemption is recorded as "userId:couponCode" in a used-coupons list.

The redeemCoupon function currently ignores the used-coupons list entirely, allowing the same user to redeem the same coupon an unlimited number of times.

This replay attack lets an attacker repeatedly apply a high-value coupon to drain promotional budgets or obtain goods at a fraction of their retail price.

Coupon replay attacks are one of the most exploited e-commerce vulnerabilities. Without server-side redemption tracking, even a single-use coupon can be applied indefinitely by the same user.

Your Tasks

Fix redeemCoupon to check whether userId + ":" + couponCode already exists in the usedCoupons list.
Throw 'Coupon already redeemed' if the combination has already been used.
Return { discount: number } — use the known discount lookup (SAVE20 → 20, FREESHIP → 10, anything else → 5) for valid redemptions.

Examples

Example 1 — Replay attack (bug)

redeemCoupon('alice', 'SAVE20', ['alice:SAVE20'])
// returns { discount: 20 } — coupon used again!

Example 2 — Blocked (fix)

redeemCoupon('alice', 'SAVE20', ['alice:SAVE20'])
// throws Error('Coupon already redeemed')

Constraints

›Throw exactly 'Coupon already redeemed' — no other message.
›A different user redeeming the same code is allowed.
›The same user redeeming a different code is allowed.

Hint

References

https://owasp.org/www-project-top-ten/2021/A04_2021-Insecure_Design https://cheatsheetseries.owasp.org/cheatsheets/Business_Logic_Security_Cheat_Sheet.html https://cwe.mitre.org/data/definitions/840.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run