CSCG 2020: StayWoke Shop

Opening the given URL we can find a web shop..

If we open the items, we can can see URLs like If we iterate over the different numbers we can find a product, which we could not find in the shop. The product one ( is called flag.

In the banner we can find a 20% coupon. It is possible to add up to ten items in the to the shopping cart and apply the coupon. The coupon is added as a item to the chart with an absolut value of 20% the current chart. We are able to add items to the chart, apply the coupon and remove the items again to get a €-2 bill. The coupon is not valid for the flag item and we can get €-2 as a maximum.

Now we take a look at the checkout procedure. There is a parameter paymentEndpoint which leads to server-side request forgery (SSRF), but we are not able to connect to our own hosted site.


If we insert an invalid endpoint like http://payment-api:9090/a we get the following error message.

Error from Payment API: "Cannot GET /a/wallets/1/balance\n\nTry GETting /help for possible endpoints."

To query the help endpoint we have to cut of the part appended by the application to our given paymentEndpoint. This can be achieved by appending a ?, so everything appended will be handled as a parameter. Using http://payment-api:9090/help? results in the following output.

Error from Payment API:
    "endpoints": [
        {"method":"GET","path":"/wallets/:id/balance","description":"check wallet balance"},
        {"method":"GET","path":"/wallets","description":"list all wallets"},
        {"method":"GET","path":"/help","description":"this help message"}

We can query the wallets with http://payment-api:9090/wallets?.

Error from Payment API: [{"account":"1337-420-69-93dcbbcd","balance":133500}]

We can find one account with a balance of €1335. The flag coasts €1337 so we first have to apply the €2 discount as described before to buy the flag item.