A pizza-ordering web application on Bugforge gives registered users a single-use discount code. The flag goes to whoever can apply more discount than they should — the fix is one HTTP request away, but you'll need to think carefully about how the server interprets the input you send.
Objective: Create an account, log in to the application, and locate the discount code that is presented to you after authentication.
Context: The target is a Bugforge pizza-ordering web application. You need a valid account to proceed through the purchase flow.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
After logging in, look around your account dashboard or the checkout area for any promotional information the app surfaces automatically.
Applications often display coupon or discount codes on the landing page or in the user dashboard after login — check for any banner, label, or text that looks like a promo code.
The discount code displayed to you after login is PIZZA-10. Note it down; you will inject it into the purchase request.
Register a new account and log in. The application displays the discount code PIZZA-10 on the post-login screen. Note this code for use in the purchase flow.
Validation criteria: Student registers, authenticates, and records the coupon code PIZZA-10 from the application UI.
[solution revealed]
Solution revealed