API Payments 01

---

Our task is to find a way to tell the shopping application that you paid without paying.

Navigate to the webpage

Lets add something to cart

Checking out, you’ll see this

Lets provide these information, we’ll capture the request on burpsuite and send it over to burp repeater

You can see we got a url that redirects to the success page (which tells us that the payment was successful)

Mavigating to that url

We got the key hehe

Submitting the key

We have successfully completed this exercise

---

API Payments 02

---

Our goal is to discover how to use this behaviour in the shopping application to avoid paying the full amount

We were provided with a credit card

Now, navigate to the webpage

Lets proceed to check out

We’ll provide the card details and try to purchase the key

oops, insufficient funds.

Lets provide our card details again, but this time we’ll capture the request using burpsuite and send it over to burp repeater

What happens when we change the amount to another price, say 1??

Well, lets find out

Nice hehe, lets navigate to the url page that tells us the payment was a success

Submitting the key

We have successfully completed this exercise

---

#

---

Our task is to get the key that solves this exercise for less

Navigate to the webpage

Trying to buy the key

We get the “insufficient fund” error