The Challenge
An online shop. The flag item costs more than your balance. The purchase request includes both the item ID and the price as POST parameters.
Approach
If the server calculates balance -= costo trusting the client-supplied costo, sending costo=0 means the transaction costs nothing. The item gets dispensed and the flag is returned.
Solution
|
|
Two POST parameters: id=2 selects the flag item, costo=0 sets the price to zero. The server trusts both and returns the purchased item — the flag.
What I Learned
Prices and quantities must always be computed server-side from a trusted product catalogue, never accepted from the client. Any parameter that affects a financial calculation and originates from the client is a business logic vulnerability.