What starting position does this attack require?

The first step is Complete the order at near-zero cost (T1041) — a exfiltration primitive. Assumed environment: e-commerce / SaaS billing endpoint that validates a coupon then applies it without a serialised transaction.

What is the final impact of this kill-chain?

The final step lands on Reproduce check-then-apply window (W-BUSINESS-LOGIC), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

Single-packet race → coupon stacking

Coupon redemption check happens before the apply step. Send 20 redemptions in a single TCP packet — the app validates each in parallel and applies all of them.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Exfiltration

Complete the order at near-zero cost

T1041 · Exfiltration Over C2 Channel

Reconnaissance

Find coupon / quota endpoint

W-RECON-API-DISCO · API Endpoint Discovery

Impact

Bundle 20 redemptions in single packet (H2)

W-RACE-SP · Single-Packet Race Condition

Turbo Intruder gate / send-group.

Impact

Apply N coupons against the cap of 1

W-BUSINESS-LOGIC · Business Logic Flaw

Impact

Reproduce check-then-apply window

W-BUSINESS-LOGIC · Business Logic Flaw

§ Context

Assumed environment: e-commerce / SaaS billing endpoint that validates a coupon then applies it without a serialised transaction. HTTP/2 connection support.

§ Steps

01
Complete the order at near-zero costExfiltration
T1041— Exfiltration Over C2 Channel
02
Find coupon / quota endpointReconnaissance
W-RECON-API-DISCO— API Endpoint Discovery
03
Bundle 20 redemptions in single packet (H2)Impact
W-RACE-SP— Single-Packet Race Condition
Turbo Intruder gate / send-group.
04
Apply N coupons against the cap of 1Impact
W-BUSINESS-LOGIC— Business Logic Flaw
05
Reproduce check-then-apply windowImpact
W-BUSINESS-LOGIC— Business Logic Flaw

§ References

T1041Exfiltration Over C2 Channel

§ Frequently asked

What is the "Single-packet race → coupon stacking" attack path?: Coupon redemption check happens before the apply step. Send 20 redemptions in a single TCP packet — the app validates each in parallel and applies all of them. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Complete the order at near-zero cost (T1041) — a exfiltration primitive. Assumed environment: e-commerce / SaaS billing endpoint that validates a coupon then applies it without a serialised transaction.
What is the final impact of this kill-chain?: The final step lands on Reproduce check-then-apply window (W-BUSINESS-LOGIC), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Single-packet race → coupon stacking

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Open MongoDB → dump every collection

Signature replay across chains → token drain

JWT RS256 → HS256 algorithm confusion → admin

GraphQL introspection → BOLA → mass enum

NoSQL injection → auth bypass → admin