After you log in, you'll notice a discount code: PIZZA-10. Note it down and get ready to use it whilst going through the flow. Purchase a pizza and intercept the traffic, stop when you see the POST req in step 2.

None

Step 2: POST Req

Go through the purchase flow and you'll see there's a discount parameter in the body, which shows the discount code we entered in the previous step:

None
#

Step 3: What didn't work

I tried several things, including repeating the code over and over..however, this didn't work.

None

I also tried adding the pizzas to an array, but it didn't work (note: this was my fault and was a syntax error).

None

Step 4: toppings array

Looking at the toppings array in the POST request, we see the format is: ["item","item"] , so lets form our discount based on this. So we end up with: ["discount":["PIZZA-10","PIZZA-10"].

So we can post this data in the body:

None

The response comes back with the flag as the coupon has been used twice:

None

Thanks for reading!

🍺 Quick message to readers: if my writeups help you, please consider a small donation to my buymeacoffee link here. This is not required but is very much appreciated! 🍺