Woolworths Everyday Rewards Hack | Automatically Boost Your Offers and Save

Introduction to Automation with Python and ChatGPT Hey everyone, in this video, I will show you how to automate manual actions required to boost loyalty points using Python and Copilot. Woolworths, an Australian grocery store, has a loyalty program where you collect points by purchasing goods. Once you reach a certain amount, you receive a $10 discount on your shopping basket. To speed up the collection of these points, you can click the boost button.

Using Developer Tools for Network Inspection While Burp is an excellent tool to inspect network traffic between a web server and the browser, for this instance, we can just use the developer tools built into Chrome. Let’s try to find the calls that return all the different offers. I was searching for anything that has ‘offer’ in the content or in the title. After filtering through lots of JavaScript content, searching for ‘offers’ often found in a URL path revealed something promising.

Identifying and Activating Offers We found a URL containing “offers”. Inspecting the response, we see all the different offers, some of which have not been activated yet, indicated by a “status not activated” and an ID. This is a good start. Copying this content, we’ll try it in a terminal window to see the full response.

Boosting Offers via API Next, we want to see what happens when we click the boost button. We can identify the API endpoint for the boost. After copying it and running it in a terminal window, we initially get an error message for a used boost ID. However, using an ID that hasn’t been boosted yet yields a 200 reply response, indicating success.

Creating the Python Script Now, let’s create a Python script to automate this manual process. Although I could write the entire code myself, it would be time-consuming. Instead, let’s use copilot to generate the code for us. Using data from the API endpoints, we’ll have copilot generate this Python script, which will access the offers endpoint using a GET request with some headers, process the data, and look for the key “offers”. Each offer’s status needs to match “not activated”, as we saw earlier. Then, we’ll make a POST request to boost that offer, specifying the offer IDs.

Refining the Script The generated code looks pretty good, with two minor issues to fix. First, I want to load the credentials from an environment variable from a file. Second, the POST request wasn’t passing through the headers. We’ll update the script to load the credentials from an environment file and provide an example of a .env file.

Testing and Finalizing the Automation Before running our code for the first time, we’ll add the headers to the POST request. With the environment variables updated and the credentials stored in the .env file, running the script is a success. One of the offers has been boosted. Running the script for all offers and refreshing the page shows that all offers have been boosted successfully.

Conclusion and Next Steps All that remains is to add a cron job to run the script daily and boost all the new offers. I won’t cover that in this video, but if you’d like to see how it’s done, leave a comment. See you next time!

Csaba is passionate about Cyber Security, Pentesting and just making things work.

Site Footer

Sliding Sidebar