A pizza-ordering web application on Bugforge gives registered users a single-use discount code. The flag goes to whoever can apply more discount than they should — the fix is one HTTP request away, but you'll need to think carefully about how the server interprets the input you send.
Objective: Understand why simple repetition attacks against the discount field do not work, so you can reason about what the server IS vulnerable to.
Context: Before finding the real exploit, it is worth understanding what the server correctly rejects. This step is about building your mental model of the server's validation logic.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Try the most obvious approach first: what happens if you submit the same discount code more than once in the same request as a repeated string value?
The server likely enforces single-use at the string level — repeating the same string value (e.g., `"discount": "PIZZA-10,PIZZA-10"`) or sending the field twice does not bypass the check.
Repeating the code as a plain string (e.g., `PIZZA-10 PIZZA-10`) or sending the field multiple times in the body are both rejected. Think about whether a different *data type* for the `discount` field might be parsed differently by the server.