BugForge Write-Up 3/9/2026

icanhaspii
Mar 9
3 min read

BugForge Daily Challenge 3/9/2026 - Cheesy Does It

Hint: Can [you] apply the discount multiple times?

Note:

@PawPawHacks/Tom Fieber:

If there is an admin account active for a lab, the credentials are admin:admin123

I launched Caido.
I checked to see if there was an admin login using the set/known creds, and there was. I logged out of that for now.
I created a user account and was taken to an app that appeared to behave a lot like an online pizza shop. Immediately upon login I noticed the presence of a Discount Code toward the top of the main Website page: "Use the discount code PIZZA-10 for a 10% discount today only!"

I then picked a pizza and added it to my order:

Over in my shopping cart, I hit the "Checkout" button and noticed a "Discount Code" field, so I pasted my "PIZZA-10" Discount Code in there and hit the "Place Order" button:

Over in my Caido proxy window, I found the "POST /api/orders/1" traffic, and I highlighted that line and right-clicked and selected, "Send to Replay -> Default Collection":

Moving over to the Caido "Replay" tab, I hit the red "Send" button so that I would have a baseline of what the traffic "Response" looked like.
Following along with the @_shadowforge__ writeup: , I made the following changes inside the "Request" pane of the "Replay" tab:

}

"delivery_address":"1313 Mockingbird Lane",

"phone":"2125551212",

"payment_method":"card",

"notes":"",

"discount":[

"PIZZA-10",

"PIZZA-10"

]

}

to:

}

"delivery_address":"1313 Mockingbird Lane",

"phone":"2125551212",

"payment_method":"card",

"notes":"",

"discount":["PIZZA-10",

"PIZZA-10",

"PIZZA-10"

]

}

Next, I hit the red "Send" button for the win!

{

"id": 10,

"order_number": "CDI-1773091566747-OUA33EHHS",

"message": "Order created successfully",

"status": "received",

"flag": " bug{********************************}"

}

Author’s End Note:

Other than trial and error, I wasn’t really sure why this worked and I wanted to learn, so I asked Gemini:

You said:

I just finished a CTF. Can you tell me why this worked for the flag? Using Discount code multiple times, and what type of bug was that?

}
],
"delivery_address":"1313 Mockingbird Lane",
"phone":"2125551212",
"payment_method":"card",
"notes":"",
"discount":["PIZZA-10",
"PIZZA-10",
"PIZZA-10",
"PIZZA-10"
]
}

Gemini said:

Nice work on the CTF! What you found is a classic logic flaw in how the server processes data.

The bug you exploited is officially known as Business Logic Vulnerability, specifically an Improper Validation of Array Input (or "Array Parameter Injection").

Here is the breakdown of why that JSON payload bypassed the system:

1. The Logic Gap

Most developers write code to check if a discount code is valid. However, they often assume the discount field will be a single string (e.g., "discount": "PIZZA-10").

When you sent an array (the [...] brackets), the backend likely looped through every item in that list. If the code didn't have a check saying "only one discount allowed per order," it simply validated "PIZZA-10" four times and applied the 10% deduction four times.

2. The Result: Price "Underflow" or Stacking

Depending on how the math was handled, you likely achieved one of two things:

Stacking: 10% + 10% + 10% + 10% = 40% off.
Compounding: Calculating 10% off the already discounted price four times.
Negative Totals: In some poorly coded CTFs, if you send enough codes, the price drops below $0, and the system might actually "pay" you (or grant the flag because the total is ≤0).

##### End of Report #####