How to Find Coupon Codes for any E-Commerce Websites
TLDR: Finding coupon codes for e-commerce websites saves money using browser extensions, deal sites, and social media. Methods include checking retailer emails, using aggregators like RetailMeNot, and leveraging tools like Honey. Always verify codes to avoid scams and ensure savings.
Everyone loves a good deal. Whether it’s the holiday season, or just a moment you are online shopping, getting something you want for less than full price is a great feeling. What if you could save money more often while shopping online?
Saving money is possible through using coupon codes. Coupon codes are a common feature of checkout pages to give users online shopping deals. They allow store owners to offer discounts to their customers for seasonal sales, item clearances, and affiliate partnerships.
It would be nice to always have coupon codes while shopping, but they are not always readily accessible. How do we get online shopping discounts? We will look at methods to find hidden, old, and unavailable codes for your online purchases.
How do e-commerce coupon codes work?
Before finding coupon codes, we need to understand how they work. For a customer, there are two parts to the coupon code experience: the code and the input box to enter the code.
You may see an input field like this on your cart checkout or payment page:
Here, we see the input field where we can enter our code and an apply button to check if the code is valid. Pretty simple.
What happens on the server is more complicated. It’s important to understand that by clicking “Apply” you are making a request to a separate server running the logic for the cart and e-commerce website.
You are most likely making a POST request to the e-commerce server, including the coupon code for validation. The server will receive the code, validate it, and make changes to your cart to reflect the logic of the code. We will talk more about the code record lookup and validation process later.
How to target e-commerce websites
Whether you are hunting for a coupon code or a bug, it is important to know as much as possible about your target. In our case, you need to know if your target e-commerce site runs its own cart server, uses a third-party app, or is hosted on a CMS solution.
E-commerce giants like Amazon, Target, Etsy, and Walmart have their own internal cart and coupon code systems. Many e-commerce websites do not build and manage their own carts. Instead, they leverage prebuilt themes, apps, or SaaS products to deliver shopping experiences.
It is important to know your target before you attempt to find hidden coupon codes. As of 2024, roughly 40% of all websites are powered with a WordPress theme / CMS. Shopify, the e-commerce theme and app platform, boasts over 5 million storefronts as of EOY 2024. These two services encompass many of the storefronts you encounter.
Most websites will not advertise the CMS or e-commerce solution they use to power their transactions. There are ways to determine if the store uses an app or a self-built solution.
It is important to identify the cart service. Knowing the target will help you improve your coupon code search methods. Services may have different schema and validations for casing and code structure. You can write better-targeted scripts or queries if you can remove impossible coupon code values.
What code powers coupon codes?
We know what the UI looks like for coupon codes and the importance of understanding how our target e-commerce website works. Now, we are ready to learn what is happening on the server.
When you click “apply” for your coupon code, you are really asking the server the following questions:
- Is this a valid coupon code?
- Does this coupon code apply to my current shopping cart?
- What is the new state of my online shopping cart?
The target server will receive the coupon code and run some logic to determine the answers to these questions. What does this logic look like?
In the most naive approach to coupon codes, we could have an endpoint with hard-coded codes in an if-else block or case statement. If the condition of the correct coupon code being sent is met, we update the cart with the given branch’s logic. This works but is not maintainable or scalable.
// Method on endpoint that receives the couponCode from the user and the
// current session's cart
const checkCouponCode = (couponCode, cart) => {
if(couponCode === 'NEW_CUSTOMER_25') {
updateCart(cart, 25);
return;
} else if (couponCode === 'RETURN_50') {
updateCart(cart, 50);
return;
} else {
return;
}Instead of hard coding the different coupon codes, which requires developer implementation every time we want to add or remove a code or update a code’s behavior, we can store the coupon codes as records.
By creating a table for the records, we can add a simple UI for store owners to create and modify coupon codes without any developer help. This is great for scalability and accessibility. With the table approach, we must review what data to store on each record.
Obviously, we need to store a name field for the coupon code. We would like to understand the discount the coupon code provides. This discount could take many forms including: a percent discount or a flat monetary value reduction.
We account for this by having two fields, a percent discount, and a flat monetary value reduction. We also set conditions that only one of the fields can be set at a time.
Now for some overlooked fields that improve user experience. Store owners don’t want to have coupon codes that are indefinitely available. Why should we have SUMMER22 available in the Winter of 2024?
To correct let’s add the start date and end date fields to our record. These fields will allow store owners to be precise about the availability of the codes without having to manually manage and delete them.
The schema for our coupon code records looks like this:
The coupon code will serve as a primary key, with uniqueness enforced. This means that we will have 1:1 mapping so we can do find operations to retrieve the records.
With the record schema created, we will mock a method of how the coupon code is used:
const updateCartWithCoupon = (couponCode, cart) => {
const couponCodeRecord = ormInstance.find(couponCode);
if(couponCodeRecord) {
// perform some action on the current cart
}
// Whether we find a code and update the cart or not we will return
return;
}Our method will accept two arguments: the coupon code and the existing cart. If the coupon code exists and is valid then we will modify the cart and return the new value. Now we know how this code would work and can begin searching for coupon codes.
Coupon Code Hunting Method 1: Brute Force Trial and Error
You now know the components of the UI, the importance of identifying target systems, and how the code for coupon codes works. Let’s talk about how to uncover coupon codes.
The first, and least sophisticated method for hunting coupon codes is brute force. People usually associate brute force searches with hundreds of thousands or even millions of different codes pinging a cart endpoint hoping to get a hit. We can do better.
For our brute force search, we will narrow the scope of our sets of coupons by relying on certain assumptions. The assumptions we will look at include trying:
- Evergreen codes
- Test/development codes
- Codes without set expirations
- Common affiliate codes
A quick note before reviewing our targets: when you see “XX” as part of a coupon code this is a placeholder for a number between 10–90. This percentage will be paired with text to build a coupon code.
The first assumption is that there are evergreen codes available. Evergreen codes are codes that are always available. Maybe there is a NEWCUSTOMERXX code that is a default shown to new users. Or there is a CHRISTMASXX that is available for the holidays, but not deactivated during the year.
To improve security, companies should rotate their codes, adding characters to differentiate versions. They should not have evergreen codes. However, business owners are human. It takes extra bandwidth and knowledge to fix this vulnerability. I won’t list evergreen codes, but they are easy to find elsewhere online.
A second source of codes is test and development codes. These codes are meant for lower environments, but if exposed in production are always available. What do I mean by exposed in production?
Good software development leverages multiple environments for creating software. You have a development environment that is local to an engineer’s machine. You have a shared testing environment hosted on a cloud server and available to team members. You have production code exposed to the world.
Certain codes should only be available in the test environment. Whether it’s laziness or forgetfulness, sometimes these codes are made available on the production server.
Codes such as TESTXX, INTERNALXX, or EMPLOYEEXX are all values that would be available if migrated from testing or dev to production. You can add different versions of these codes to your brute force list.
Beyond trying test codes, we can add codes for new users and retargeted users. Retargeted users are users in a CRM (customer relations management system) who have interacted with a store or service. They meet some threshold of inactivity, making them attractive for reaching out with a trigger like a coupon code.
Common codes could be something like WELCOMEBACKXX or FIRST_ORDERXX. While compiling these generic codes, look for other codes on the site to see the casing, spacing, and general formatting a website uses. After common lifecycle codes, we need to look at how to find affiliate coupon codes.
With the rise of influencers came the explosion of affiliate marketing. Unlike traditional marketing, or even digital marketing on websites, affiliate marketing is hyper-focused on an influencer’s audience.
An influencer focusing on health content would be a great affiliate marketer for supplements or workout clothing. An influencer focusing on gaming might be an affiliate for computer part upgrades and food delivery services.
A common format for affiliate marketers is the affiliate’s name with some discount number attached. Examples would be MARK20 or DEJUAN35. The method of applying the code may differ as sometimes this is appended to the end of a URL while other codes can be entered at checkout.
The discounts usually stay below 50%, so a safe bet would be to add a list of common names with different discount amounts to test coupon codes.
Now that we have a list of coupon codes that are tens or hundreds of higher probability codes long, it is time to try them and see what works. We do not want to do this by hand. There are a couple of ways to automate this process:
Process 1 — Endpoint Automation
- We can look in the network tab to see if an API endpoint is exposed for making calls directly to the database
- If it is, we can use a tool like Postman to mock the endpoint call
- We can further automate Postman with a script to make calls using our coupon code try list and record successes
Process 2 — Manual Web Automation
- Create a base state of the cart.
- Using a tool like Selenium with Python create a script that “inputs” our codes and “submits” them to the server. We can check the text of our cart price to see if the coupon code applied.
- We run this script against our coupon code try list and record successes.
There are other ways to automate these processes, but I will not cover those. I am also not including code in this article because this knowledge should be used by store owners and engineers to ensure their sites are safe.
The great thing about this list is that you should be able to reuse it between websites or services. Again, the format may change, but if the site does not have rate limits on calls from a specific IP you can work through trying your whole list in seconds.
Coupon Code Hunting Method 2: Deleting Profile Information
It is no secret that the websites and services you interact with track you. They record information such as your browsing session, whether or not you’re logged in, searches made within their site, your IP address, your browser type, and your device type.
Armed with this data, these services precisely target and retarget users. Maybe you haven’t logged any activity on their site in a few weeks so you get dropped in a CRM bucket for a retargeting campaign. From this, you get a WELCOME_BACK_15 coupon in your email.
To take advantage of these offers, you could create accounts and hope you trigger a retargeting campaign. That is a lot of work and requires some luck and timing. Instead of targeting those discounts, let’s look at how to leverage new customer coupon codes.
New coupon codes are offered to users who are not logged in or have not interacted with the site in a way that session cookies can be stored. How being logged in affects new user coupon codes is straightforward. If you have an account, you will not be shown the new user discount code.
How cookies factor in is not as straightforward. Cookies are bits of text that websites can place in your browser to track your activity and collect data.
We will not see the new user coupon code if we interact with a website with certain cookies already in our browser. Therefore, we need a way to get rid of the cookies. We could use developer tools to clear our browser cookies manually, but a simple method is to use Incognito mode, a private browser, or if you’re feeling crazy, a Tor browser.
While private browsers don’t anonymize your activity, as search engines and ISP providers still have to route traffic and may store an “anonymous” profile related to you, websites can’t see your activity and don’t store cookies.
With this knowledge, we can return to our target website and see if the new user discount coupon code is visible. If it is, we can record it and try to use it on our existing user account.
This may or may not work depending on how the target store validates coupon codes. If the store has logic in addition to checking if the coupon code is real and has not expired, then this method does not work.
If the store only checks for real codes that have not expired, your new user discount coupon code should work on every order you make.
Coupon Code Hunting Method 3: Asking for the List
What’s the easiest way to get into a house: through the front door. This question may seem irrelevant, but is important for our last coupon code-hunting method. What is the best way to get a list of coupon codes? Ask for them.
The input form is a POST call to an eCommerce endpoint. This endpoint has to access the database to query for values. What if instead of asking to look up a record for “BESTHACKER25” you performed an SQL injection?
If the endpoint doesn’t clean the input value, you may be able to get the entire coupon code table. Wouldn’t that be nice?
This is an unlikely scenario as most modern frameworks clean strings before passing them to the backend. Most backend engineers are taught to trust but verify all payloads coming from the frontend. Frontend validation is good for UX but does nothing to prove the trustworthiness or validity of inputs.
Again, if returning a table works, you are set. I won’t go into technical details on how to perform this sort of check. It goes against the Terms of Service for most eCommerce websites.
How to secure your coupon codes as a product owner or software engineer
We have discussed the coupon code feature and how it may be hacked. Let’s discuss protecting yourself as a store owner, software engineer, or product manager.
The bottom line for misuse of coupon codes is lost revenue. Transactions which are completed return less value than what should be expected. We need to prevent this. Our three methods described above can be mitigated through clean code and good store management.
While what I discuss won’t solve every scenario (a user may be really good at guessing active coupon codes) it should reduce the opportunity for misuse. Three actions you can take to protect yourself are:
- Have procedures for inventorying your coupon codes
- Write clean code for your coupon application endpoint.
- Add logic to evergreen coupon codes to only be available to certain users.
The easiest solution is good coupon code hygiene. Don’t leave old codes exposed. If they exist and work, people will find them. If you must use evergreen code, add extra logic to cart applications to ensure they only apply to a subset of users.
Finally, if you’re writing your code, think of ways to abuse your endpoint and add logic. Your developers need to understand your business cases to ensure they build clean and safe code. Once they understand the business logic, they can test misuse and abuse to prevent coupon code hacks.
How to inventory your coupon codes as a store owner or product manager
As you can see, there are many ways that a coupon code system can be abused. The best way to prevent coupon codes from being misused is to ensure that they are not available in the first place. If there aren’t active coupon code records to use, malicious users will be unable to apply discounts.
Our first step is to check for test codes leaking from your testing environment to production. There should be no codes for TEXTXX or EMPLOYEEXX. These are the easiest codes to check for and remove.
Once we have verified that no test codes exist on production, check that all codes are for current campaigns and seasons. If you had a flash sale last Friday, remove the coupon code once your sales end.
If you are a solo shop, you should be able to track what codes are available and when they should be deleted. If you have a team, have discussions and procedures for setting up codes correctly and how to delete them. Go further and have an annual, bi-annual, or quarterly audit of all your codes.
It does not take a lot of effort to remove easy coupon code abuse. However, you must be detail-oriented and on top of your site to ensure users are not getting free money at your expense.
Key Takeaways
- Use browser extensions like Honey or Capital One Shopping to automatically find and apply coupon codes at checkout.
- Check deal aggregators like RetailMeNot or Coupons.com for verified, up-to-date discount codes across retailers.
- Subscribe to retailer newsletters and follow their social media for exclusive promo codes and flash sales.
- Verify coupon codes through trusted sources to avoid scams and ensure they work before completing purchases.
