BugForge - Daily - Cheesy Does It (Repeat)

Daily - Cheesy Does It (Repeat)

This is a repeat of the daily challenge from February 2nd, 2026.

---

Vulnerability Overview

A business logic flaw in the tip functionality of the Cheesy Does It pizza ordering application allows users to submit negative tip percentages during the checkout process. The payment validation endpoint (/api/payment/validate) and order creation endpoint (/api/orders) both accept negative values for the tip parameter without proper server-side validation. By manipulating the tip percentage to a negative value, an attacker can effectively receive credits instead of paying, resulting in unauthorized discounts or even profit from placing orders.

Key Issues:

• The tip parameter accepts negative values without server-side validation
• Both the payment validation and order creation endpoints are affected
• Financial parameters are trusted from the client rather than recalculated server-side

---

Vulnerabilities Covered

• Business Logic Flaw
• Insufficient Input Validation

---

Classification

• OWASP Top 10: A04:2021 - Insecure Design (lack of business logic validation)
• Vulnerability Type: Business Logic Flaw / Insufficient Input Validation
• Attack Surface: Payment validation (/api/payment/validate) and order creation (/api/orders) endpoints
• CWE: CWE-840 - Business Logic Errors, CWE-20 - Improper Input Validation

---