A pizza-ordering web application on Bugforge gives registered users a single-use discount code. The flag goes to whoever can apply more discount than they should — the fix is one HTTP request away, but you'll need to think carefully about how the server interprets the input you send.
Objective: Exploit the server's failure to type-check the `discount` field by converting it from a string to a JSON array containing the coupon code multiple times, and retrieve the flag.
Context: The `toppings` field in the same request uses the format `["item","item"]`. The server may apply the same lenient parsing to any array it receives — including the `discount` field.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Look at how the `toppings` field is structured and consider whether the `discount` field could be sent in the same format.
This is a JSON type-confusion / business logic flaw. Try changing the `discount` value from a string to a JSON array of strings.
Change the `discount` field in the POST body from `"discount": "PIZZA-10"` to `"discount": ["PIZZA-10","PIZZA-10"]` and send the request. The server processes each array element as a separate coupon application.
Chat with a spoiler-safe tutor for this step. It uses only this lab spec and gives the smallest useful nudge first.
Tell the tutor what you tried, where you got stuck, or paste the response/error you are seeing.
Enjoying Hintru? Buy me a coffee ☕ ☕