Cheesy Does It

Today the lab we got today came with the hint web.

Because web can mean absolutely everything and nothing at the same time, I did what I always do. Click my way through the lab and see what I could find with the requests I made during my little clickfest.

When going over the requests, I noticed POST /api/order, the request had the price inside the body that was sent to the backend. Pretty weird. I suppose the object is made with the information on the website and not with information stored somewhere on the backend.

So what would happen if I just changed the price before I send it off to the backend? I sent the request to Repeater and changed the prices.

The order was successfully placed. I could see this too in the frontend where my order had the grand total of $0 🤑

On top of the order details was my flag 🇧🇪