TOCTOU Race Condition Vulnerability in OopsSec Store's Next.js Coupon Validation

The OopsSec Store, an intentionally vulnerable e-commerce application, contains a Time-of-Check Time-of-Use (TOCTOU) race condition in its Next.js API route handling coupon validation. The vulnerability occurs when the /api/orders endpoint performs two separate database operations—reading a coupon’s usedCount and incrementing it—without atomicity, allowing concurrent requests to bypass the maxUses limit. A single-use coupon (FLASHSALE with 50% discount) can be exploited by sending 30 concurrent requests, causing the usedCount to exceed its intended limit and triggering the flag OSS{r4c3_c0nd1t10n_c0up0n_4bus3} in responses. The application uses Prisma with SQLite, where concurrent reads do not block each other, enabling the race condition. Exploitation involves authenticating via an authToken cookie and firing simultaneous requests to the order endpoint. The lab is available via Docker (leogra/oss-oopssec-store) or npm (create-oss-store).