OWASP Automated Threats

Mass enumeration of coupon numbers, voucher codes, discount tokens, etc.

What is Token Cracking?

Identification of valid token codes providing some form of user benefit within the application. The benefit may be a cash alternative, a non-cash credit, a discount, or an opportunity such as access to a limited offer. For cracking of usernames, see OAT-007 Credential Cracking instead.

Token Cracking is also known by terms such as coupon guessing, voucher, gift card and discount enumeration.


The symptoms of Token Cracking

  • 1
    Multiple failed token attempts from the same user and/or IP address and/or user agent and/or device ID/fingerprint
  • 2
    High number of failed token attempts


Sectors targeted by Token Cracking

  • Entertainment
  • Financial
  • Retail


Can InfiSecure prevent Token Cracking?

InfiSecureā€™s advanced bot fingerprinting technology can stop automated token cracking attempts by identifying and restricting automated usage by fingerprinting the user agent for its unique characteristics. InfiSecure identifies and restricts automated usage by reputation methods and employs rate limits to the number of failed token submission attempts per session /user / IP address/device / fingerprint. InfiSecure can even identify and block the most advanced persistent bots engaged in token cracking.