Cafe Club

This was a pretty difficult on to discover and although the exploit was pretty straightforward, I learned a valuable lesson today.

I tried a lot with the points, gift cards, messing with everything and nothing at the same time. But the vulnerability turned out to be a race condition.

First we need something in our chart and go to the checkout. We intercept the final action, send it to Repeater and drop the packet.

Next we need to send a request to Repeater to add something in our chart. We copy the request a few times there and change the item_id for each request.

Next step is to group those add items and buy requests in one big happy family. And then send it in parallel.

When the request goes through, some items are added after the cart is payed for 🤑

Extra things, and a flag 🇧🇪