This poor pizza chef does some outstanding pizzas….the only problem is, he is losing money with every pizza he makes! Let’s investigate why!
Step 1: Register
As always with BF labs, we’ll need to register an account. The aim with these kinds of labs is often to get the pizza for free using various methods. So this time, we’ll see how the “normal” pizza flow is.
Step 2: Add pizza to cart
Add a pizza to the cart and then click the cart icon which should now show a red circle with a ‘1’ in (top right) to see the pizza in the cart.
Step 2: Add a custom tip of 100%
Add a custom tip of 100% and hit the Place Order button. Ensure you’re capturing traffic.
Step 3: Negative Tip
Immediately after submitting your order, you’ll see this request. Here, make your tip -100% by adding a minus symbol before the 100.
Step 4: Payment token
At this point, a payment_token is generated for you and the tip disappears (so maybe there is some logic going on here to invalidate the tip and just charge you for the pizza). Forward this request on.
Step 5: Alter the tip (again)
Now you’ll see this request, where the tip is showing again as 100.
Same applies again. Enter a minus symbol before the 100.
Right-click and click on Do Intercept > Response to this request (if you’re not using burp suite, you may have the equivalent in whatever tool you’re using).
Step 7: Free pizza
You’ll now find that the pizza has had 100% of the price taken off and the flag appears in the order_number repsonse:
And you’ll also see it on screen:
Why did this happen? Well, the logic behind this is likely: calculated_total = items_total × (1 + tip_percentage ÷ 100) which would get you a free pizza if the tip_percentage is -100% as -100% evaluates to zero, regardless of the items_total value.
Thanks for reading!
### UPDATE ###
I’ve since been told by h00p that the first step isn’t necessary and you don’t need to do the negative tip until you hit the /api/orders endpoint. I should probably go back and test this, but I believe it. That explains why when I did this originally and only did a -100 on the first endpoint after checking out, it didn’t give me the discount. So, thanks h00p!
