Ciphered Cart
NovaStore's promo-code endpoint leaks one bit per request. The storefront only tells you "applied" or "invalid" — nothing more. Pry the hidden admin-vault secret out one boolean at a time. Requests are rate-limited, so brute force will not save you.
The Scenario
NovaStore is a direct-to-consumer skincare brand out of Portland that did roughly $14M in 2024 and got publicly embarrassed by a credential leak the year before. The remediation work was assigned by ticket count rather than risk, and the promo-code endpoint — owned by a junior who joined two weeks before the hardening sprint — got the smallest checkbox: a throttle in front of the form and a note that "the rest can wait for Q2." Q2 came and went.
Challenge Intel
Synopsis
A boolean-blind SQL injection lab set in a storefront where each request leaks a single bit of truth.
What It Is
NovaStore's promotional-code flow returns only a binary result per submission, but that's enough signal to rebuild hidden records if you're patient and precise. Rate limiting means you'll need an efficient extraction strategy rather than brute force. A classic blind SQLi scenario dressed up in a modern e-commerce skin.
Who It's For
Intermediate-to-advanced testers who want realistic practice with blind extraction against a rate-limited target.
Skills You'll Practice
- Blind SQL injection under sparse feedback
- Binary-search bit extraction techniques
- Working within aggressive rate limits
- Schema enumeration through inference
- Scripting reliable oracles for blind attacks
What You'll Gain
- Confidence attacking targets that refuse to tell you anything verbose
- A repeatable pattern for extracting data one bit at a time
- Intuition for how rate limiting changes blind-attack economics
- Fluency translating 'applied or not' into full record recovery