Ciphered Cart
NovaStore's promo-code endpoint leaks one bit per request. The storefront only tells you "applied" or "invalid" — nothing more. Pry the hidden admin-vault secret out one boolean at a time. Requests are rate-limited, so brute force will not save you.
The Scenario
NovaStore's ops team hardened almost every form on the site after last year's breach. Almost. A junior engineer "fixed" the promo-code validator by adding rate limiting — but forgot to prepare the statement. One bit of signal per request is all you need.
Challenge Intel
Synopsis
A boolean-blind SQL injection lab set in a storefront where each request leaks a single bit of truth.
What It Is
NovaStore's promotional-code flow returns only a binary result per submission, but that's enough signal to rebuild hidden records if you're patient and precise. Rate limiting means you'll need an efficient extraction strategy rather than brute force. A classic blind SQLi scenario dressed up in a modern e-commerce skin.
Who It's For
Intermediate-to-advanced testers who want realistic practice with blind extraction against a rate-limited target.
Skills You'll Practice
- Blind SQL injection under sparse feedback
- Binary-search bit extraction techniques
- Working within aggressive rate limits
- Schema enumeration through inference
- Scripting reliable oracles for blind attacks
What You'll Gain
- Confidence attacking targets that refuse to tell you anything verbose
- A repeatable pattern for extracting data one bit at a time
- Intuition for how rate limiting changes blind-attack economics
- Fluency translating 'applied or not' into full record recovery