AcmeCorp Gift Card Redemption DEMO

API Shield Demo — Schema Validation & Sequence Mitigation | fast-silicon.sxplab.com

Legitimate Flow SAFE

Simulates the real mobile app flow: browse products → select → redeem. Value is locked to the product's actual price.

1. Browse
2. Select
3. Redeem
Waiting...

Exploit Flow ATTACK

Simulates the attacker: skips product browsing, jumps straight to /orders, tampers with the value field. No sequence followed.

1. Browse
2. Select
3. Redeem

The attacker sets value to $500 instead of $10

Waiting...

curl Examples

Legitimate — Browse products first, then order

# Step 1: List products curl -s -H "X-Session-Id: user-john-abc123" https://fast-silicon.sxplab.com/v1/products | jq # Step 2: Get specific product curl -s -H "X-Session-Id: user-john-abc123" https://fast-silicon.sxplab.com/v1/products/5bd195af-f22a-4cf7-ae9b-116d47104fbc | jq # Step 3: Redeem (value matches product) curl -s -X POST https://fast-silicon.sxplab.com/v1/orders \ -H "Content-Type: application/json" \ -H "X-Session-Id: user-john-abc123" \ -d '{ "items": ["5bd195af-f22a-4cf7-ae9b-116d47104fbc"], "createdBy": "JohnDoe", "value": 10, "email": "john@acmecorp.com", "channel": "app" }' | jq

Exploit — Skip sequence, tamper value

# Skip straight to order, set value to $500 curl -s -X POST https://fast-silicon.sxplab.com/v1/orders \ -H "Content-Type: application/json" \ -H "X-Session-Id: user-h4ck3r-xyz789" \ -d '{ "items": ["5bd195af-f22a-4cf7-ae9b-116d47104fbc"], "createdBy": "h4ck3r", "value": 500, "email": "malicious@h4ck3r.com", "channel": "app" }' | jq # With Schema Validation ON and value constrained to enum [10, 25, 50]: # -> Cloudflare returns 403 (blocked at edge, never reaches origin) # # With Sequence Mitigation ON (must GET /products before POST /orders): # -> Cloudflare blocks because /v1/products was never called first