Quikpay Receipts
A payment-receipts service where every customer can resend their own receipt by email. The button does what it says. The endpoint it calls, with a different request shape, will tell you more than it ought to.
The Scenario
Quikpay is a small payments backend used by a few dozen indie software shops. They take the integration seriously and the design seriously. They also have a debug branch in the resend handler that the engineering lead added during a late-night incident and never wrapped in a feature flag.
Challenge Intel
Synopsis
POST /receipt/<id>/resend returns a JSON debug payload (with the flag) when Content-Type is application/json. Form-encoded POSTs get a boring success response. Pure HTTP method/content-type pivot.
What It Is
The Flask receipt-resend handler branches on request.content_type. The form-encoded branch returns {"ok": true, "message": "Receipt resent"}. The JSON branch returns a full JSON dump of the receipt with a debug.internal_ref field containing the flag.
Who It's For
Players who have used DevTools → Network and can copy a request as fetch. The challenge introduces request manipulation outside the browser's default form posts.
Skills You'll Practice
- Replaying a request with a modified Content-Type
- Using Burp Repeater or curl to swap a request body
- Reading a JSON response body
What You'll Gain
- Same endpoint, different content type, different behavior
- Debug branches are a real-world leak path — they ship more than dev expects
Ready to hack Quikpay Receipts?
This challenge is free. Sign up and start hacking.