$ cat writeup.md…
$ cat writeup.md…
alfactf
Task: a Next.js chocolate shop stores balances in server-side SQLite sessions and exposes a promo redemption endpoint. Solution: recover the valid coupon from source, then exploit JavaScript string-plus-number coercion to turn the balance into Infinity and buy the flag item.
Шоколадный дроп
English summary: the target is a Next.js shop application with server-side SQLite-backed sessions, a promo code feature, and a hidden expensive flag item. The goal is to abuse the promo flow to raise the stored balance high enough for checkout.
Source inspection revealed a valid promo code embedded directly in the frontend or bundled source. The code decodes from base64 into the JSON object below:
{"amount":5000,"coupon":"TREAT5000"}
The interesting API route was POST /api/promocode. The handler updated session.balance before fully validating the promo payload:
promo.amount to session.balancecatchfinallyThat sequence is unsafe in JavaScript because + is both numeric addition and string concatenation.
After redeeming the legitimate 5000 coupon once, the stored balance is the number 5000. The bug appears when the next promo uses a malformed amount value such as the string "1e305".
At that point the application effectively does:
session.balance += "1e305";
Instead of producing a larger number, JavaScript concatenates and the balance becomes the string:
"50001e305"
Later the error handler tries to roll the change back with -=. That operator forces numeric coercion first:
session.balance -= "1e305";
Now "50001e305" is parsed as an enormous scientific-notation value, which overflows to Infinity. Then the rollback becomes:
Infinity - 1e305 === Infinity
So the failed promo does not restore the original balance. It upgrades it to Infinity.
When the session is serialized to JSON, Infinity is shown as null, which can make debugging misleading. However, the backend still restores and uses the server-side SQLite session value during checkout, so the purchase logic treats the balance as effectively unlimited.
With that state, adding the expensive flag item to the cart and checking out succeeds. The real flag is then returned by GET /api/completed.
I also checked the related CTFBase writeup 20251219_alfactf_coins after searching for javascript NaN balance type confusion. It highlighted the same family of JavaScript numeric edge cases: if balance logic mixes loose coercion, special numeric values, and weak validation, business-logic checks can often be bypassed.
The exploitation flow is short:
{\"amount\":5000,\"coupon\":\"TREAT5000\"}.amount is the string "1e305".Infinity.flag item to the cart.GET /api/completed.Short curl example:
#!/usr/bin/env bash BASE="https://TARGET" COOKIE="/tmp/choco.cookie" # 1. Create session curl -s "$BASE/" -c "$COOKIE" > /dev/null # 2. Redeem the real coupon curl -s "$BASE/api/promocode" \ -b "$COOKIE" -c "$COOKIE" \ -H 'Content-Type: application/json' \ -d '{"amount":5000,"coupon":"TREAT5000"}' # 3. Trigger string concatenation, then Infinity on rollback curl -s "$BASE/api/promocode" \ -b "$COOKIE" -c "$COOKIE" \ -H 'Content-Type: application/json' \ -d '{"amount":"1e305","coupon":"BROKEN"}' # 4. Add the expensive item and buy it curl -s "$BASE/api/cart" \ -b "$COOKIE" -c "$COOKIE" \ -H 'Content-Type: application/json' \ -d '{"item":"flag"}' curl -s "$BASE/api/checkout" \ -b "$COOKIE" -c "$COOKIE" \ -X POST # 5. Retrieve the real flag curl -s "$BASE/api/completed" -b "$COOKIE"
The key observation is the coercion chain:
5000 + "1e305" // "50001e305" "50001e305" - "1e305" // Infinity Infinity - 1e305 // Infinity
This is why the rollback path is exploitable even though it appears to subtract the same value it just added.
For JavaScript shop challenges, always test how balances behave across +, -, JSON serialization, and session persistence. Type confusion is often enough to turn a small legitimate credit into NaN or Infinity, which breaks every later price comparison.
$ cat /etc/motd
Liked this one?
Pro unlocks every writeup, every flag, and API access. $9/mo.
$ cat pricing.md$ grep --similar