BugForge Write-Up 3/16/2026

Hint: Can you tamper with the price via the tip feature?

Note:

If there is an admin account active for a lab, the credentials are admin:admin123

I launched Burp.
I checked to see if there was an admin login using the set/known creds, and there was. I logged out of that for now.
I created a user account and was taken to an app that appeared to behave a lot like an online pizza shop:

Next, following along with both the @r0zx and Zwarts write-ups, I chose a pizza, and then I hit the "Add to Cart" button:

Next, I go back over to my Burp "Intercept" tab. Once there, I see traffic for: "POST /api/payment/validate HTTP/2":

Toward the bottom of my "Request" tab for this intercepted traffic, I made the following change (basically I changed the tip from zero to -100):

{

"card_number":"4444 4444 4444 4444",

"exp_month":"12",

"exp_year":"25",

"cvv":"123",

"amount":12.99,

"tip":0

}

to:

{

"card_number":"4444 4444 4444 4444",

"exp_month":"12",

"exp_year":"25",

"cvv":"123",

"amount":12.99,

"tip":-100

}

Once you have made that change, hit the orange "Forward" button toward the top of the Burp app:

Next, you will see traffic for "POST /api/payment/process HTTP/2", make no changes, just hit the orange "Forward" button:

Now, you will see traffic for "POST /api/orders HTTP/2", toward the very bottom, make the following changes (basically I changed the tip from zero to -100):