Improve lab

Improved version of Cheesy Does It — Business Logic Discount Abuse (Bugforge)

You are creating a new version of this lab. The original stays untouched. Your version will be signed by a cryptographic key generated in your browser — no email, no password. If you clear browser data without exporting your identity, you lose authorship over your contributions.

You do not have a signing identity yet in this browser.

Lab metadata

Title Summary Target type Difficulty Tags (comma-separated)

Steps

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.

Intercept the Purchase POST Request

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.

Explore Naive Bypass Attempts (Dead Ends)

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.

Manipulate How the Discount Field Is Sent

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.