A pizza-ordering web application on Bugforge gives registered users a single-use discount code. The flag goes to whoever can apply more discount than they should — the fix is one HTTP request away, but you'll need to think carefully about how the server interprets the input you send.
Objective: Begin a pizza purchase, apply the PIZZA-10 discount code at checkout, and intercept the resulting HTTP POST request with Burp Suite to inspect the full request body.
Context: With Burp Suite configured as your proxy, walk through the purchase flow and apply the discount code when prompted.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Set up Burp Suite to intercept traffic, then go through the checkout process and apply the discount code — stop the request before it reaches the server.
Look at the raw POST request body. There should be a JSON parameter specifically for the discount code alongside other order parameters like item name and toppings.
In the intercepted POST request you will see a JSON body containing a `discount` field (set to `"PIZZA-10"`) and a `toppings` field that is already formatted as a JSON array (e.g., `["item","item"]`).