A blog post details the discovery of several promo codes accidentally left exposed in the publicly accessible source code of the Great Wolf Lodge website. The author explains how by inspecting the source code and searching for terms like 'promocode', they were able to locate variables containing partial URLs and arrays of promo codes.
Following the discovered URLs, the author found a JSON file containing four distinct promo codes. One of these codes was successfully tested on the website, demonstrating the vulnerability.
The article serves as a cautionary tale about the importance of proper security measures in web development and highlights the potential risks associated with exposing internal data.
Some time ago, I exposed an e-shop for blatantly lying about the number of people viewing their products. Their public source code contained a JavaScript function that randomized the number. Since then, the administrators of the e-shop have quietly removed the code from their website.
Well, we are once again exploring the source code of a website, but this time there’s nothing crooked involved. The website that I’ll be showing you today simply exposed hidden promo codes in their public code.
We’ll be looking at a chain of indoor water parks called Great Wolf Lodge today, though I want you to know that it’s actually quite common that websites expose what would be internal information publicly through poor code.
I’ll explain every step along the way, so you can follow along and use the methods I mention in this article to explore the source codes for other websites. And, trust me, you can find all sorts of interesting tidbits in source codes.
Here’s what we’ll do:
Let’s start by navigating over to our subject: Great Wolf. Right-click just about anywhere on the website and select “View source.” Hit CTRL+F (or CMD+F) to search the code and type “promocode.” We will find two variables in particular that interest me: “dealPromoCodeApiUrl” and “promoCodeList.” The first variable contains a partial URL to a JSON-file (a file with some structured data) that sounds like it would contain promo codes. The second variable is an array (a collection) of promo codes.
If we take the URL found in the aforementioned variable and add “greatwolf.com” to the beginning of it, we’ll end up with this URL: https://www.greatwolf.com/content/experience-fragments/gwl/poconos/experience-fragment/master/_jcr_content/root/plan.json.
At the time of writing, upon visiting that URL, I am greeted with four different promo codes:
If you often open multiple tabs and struggle to keep track of them, Tabs Reminder is the solution you need. Tabs Reminder lets you set reminders for tabs so you can close them and get notified about them later. Never lose track of important tabs again with Tabs Reminder!
Try our Chrome extension today!
Share this article with your
friends and colleagues.
Earn points from views and
referrals who sign up.
Learn more