A pizza-ordering web application on Bugforge gives registered users a single-use discount code. The flag goes to whoever can apply more discount than they should — the fix is one HTTP request away, but you'll need to think carefully about how the server interprets the input you send.
Objective: Exploit the server's failure to type-check the `discount` field by converting it from a string to a JSON array containing the coupon code multiple times, and retrieve the flag.
Context: The `toppings` field in the same request uses the format `["item","item"]`. The server may apply the same lenient parsing to any array it receives — including the `discount` field.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Look at how the `toppings` field is structured and consider whether the `discount` field could be sent in the same format.
This is a JSON type-confusion / business logic flaw. Try changing the `discount` value from a string to a JSON array of strings.
Change the `discount` field in the POST body from `"discount": "PIZZA-10"` to `"discount": ["PIZZA-10","PIZZA-10"]` and send the request. The server processes each array element as a separate coupon application.