Promo codes accidentally left in the source code of the website



I recently discovered an online store brazenly lying about the number of people browsing its products. Its source code contained a JavaScript function that randomized this number. After my article, the store administrators secretly removed this code from the website.



Today we will be examining the source code of the website again, but now there will be nothing fraudulent in it. The site that I will show today just revealed secret promotional codes in its public code.



We are researching the site of the Great Wolf Lodge indoor water park network, but I must report that it is quite common for websites to expose their inside information in bad code.



I'll explain each step so you can use the methods described in the article to explore the source code of other websites yourself. And trust me, you can find all sorts of interesting details in the source code.



Here's what we'll do:



  1. Let's study the Great Wolf source code, where we will find links to promotional codes that we will check.
  2. Let's try to use one of the promo codes on the website and intercept the URL passed to the web browser.
  3. Spoiler alert: We will eventually find a working promo code.


Examining the source code



Let's start by getting to the object of study: the Great Wolf . Right click anywhere on the website and select "View source". Press CTRL + F (or CMD + F) to search by code and enter "promocode" in the search field. I found two variables that I found particularly interesting: dealPromoCodeApiUrl



and promoCodeList



. The first variable contains a partial URL pointing to a JSON file (a file with some kind of structured data) that may contain promo codes. The second variable is an array (collection) of promo codes.



If we take the URL found in the first variable and add “greatwolf.com” to the top, we get this URL: https://www.greatwolf.com/content/experience-fragments/gwl/poconos/experience-fragment/master/_jcr_content/root/plan.json .

At the time of this writing, when going to this URL, I was greeted by four different promo codes:





Data found on Great Wolf .



If you open the URL in a browser, the data may not look as structured as mine. Some browsers have a built-in JSON viewer, but most don't. However, every popular desktop browser has extensions that you can install to display JSON files more beautifully, so just go to your browser's extension / app store and search for JSON.



Let's remember these codes, but for now let's check one more variable: promoCodeList



... We already know its contents by examining the source code, but we can display it more conveniently using the browser console. Let's open the browser developer tools, which in most Windows browsers are opened by pressing F12. Also on most computers and browsers, you can right-click anywhere on the website and select something like “Inspect element”. With the developer tools open, select "Console". Then we can enter "promoCodeList" and press Enter, after which we will see five more promo codes:





Let's try using one of them. At the top of the Great Wolf homepage, there is an option to search for available dates. I looked for dates, chose one visitor and entered the promo code I found earlier: PROMO20.





After completing the search, the text was displayed: “Unfortunately that is not a valid offer code. Please re-enter or view our other offers. " ("Sorry, this promo code is not valid. Please re-enter the code or explore other offers.")



We communicate with the web server



I'm always curious about how data travels between the browser and the web server, so let's go to the "Network" tab of the developer tools. Let's select "XHR" to see what data is moving between the page and the web server. If the tab is empty, refresh the page. This will populate the network tab with API calls. Abbreviations like XHR and API basically mean that a website is talking to a server.





Great Wolf network calls .



Most of them are of little interest, but the highlighted line caught my attention. It says “availability” and looks like it is sending interesting data. If you click on it, the browser will show the URL that the website uses to query the server for available hotel rooms.





If we click on the URL that is open in this network tab at the time of writing, we will be on another page filled with data. The results on this page contain numbers that are available for the selected dates. Conveniently, at the beginning of the data there is information related to the promo code. There is an error code indicating that the offer is not available (we already know this).





Data found on Great Wolf .



Unfortunately, this data is not very interesting, but the URL makes it easier to check other promo codes. If you examine the URL, you can see the "offerCode = PROMO20" part. You can either enter a different promo code or reload the URL to check it. Without hesitation, I began to check them. One of the previously found promotional codes worked: "FLING40". At the time of this writing, you could click here and get this kind of feedback:





Data discovered on the Great Wolf .



Indeed, if you go back to the website and enter the promo code, you can verify that it has been applied:





Mission Complete.



It is also worth noting that some of the promotional codes we found earlier are indicated in plain text on the Deals page of the Great Wolf website . However, the FLING40 code I used is not there.



Summarize



We used very simple techniques to find promotional codes for a room reservation website. After examining the source code, we found some interesting JavaScript variables. We checked them and found some hidden promo codes. We also found a URL for communicating with the Great Wolf web server, which allowed for faster testing of codes. Ultimately, we found a hidden promo code that worked.



You may wonder why promotional codes were just lying in some variables of the public source code. There may be many reasons for this, but from my experience as a developer, I can say that it is usually caused by management problems. Reasons for such disclosures can be short deadlines, lack of a thorough testing phase, extended functionality late in development, or poorly written terms of reference.



In addition, since the data will not cause damage, there may have been no reason to delete it. This is an innocent mistake and is more common than you might imagine. Of course, it is worth mentioning that promotional codes could be left in the code on purpose, as a brilliant trick to attract attention or increase sales. But it seems to me that this is unlikely.



Anyway, I hope you learned something new. Good luck hunting for fun in the source code of other sites.






Advertising



Epic! Within a minute after ordering, you can get a cloud vps server based on the latest AMD EPYC processors to host projects of any complexity, from corporate networks and game projects to landing pages and VPNs.



Subscribe to our chat on Telegram .






All Articles