Gifts for me

Challenge#

Nobody ever gifts me anything, if you want something you will need to take care of it!

Application: https://pizzamario2025.mendixctf.com

Difficulty: Easy

Solution#

The description suggests we should gift ourself something. Maybe a gift card? A quick scan of the homepage reveals that there is a “Buy a gift card (get 20% from us)” button. Let’s buy one for me! The form is using a validation to check if the “Receiver email” is the same as your own email.

However it appears to be an on page validation, it doesn’t block us from actually confirming the order! The clue is that validation activates immediately when input fields are modified, suggesting it runs on-page or via events. Once the confirm order action is triggered, this specific validation no longer occurs.

Vulnerability#

Validations performed in the client (on page, nanoflows) are easy to bypass. I would probably map this to TSU-03: Insecure microflows, but it also contributes to TSU-01: Insecure user roles or TSU-02: Insecure entity access. Make sure to setup strict entity access and roles which cannot bypass server-side validations.

Flag#

You shall not pass!