As always let’s assume the company name as example.com. This company offers you to have private notes/pages. For the free version it offers 5 pages, to upgrade from 5 pages to unlimited pages you need to pay some amount of money.
The working of the application
- Click on create a page
- Enter page name and details
- Click on Save
After you save the 5th page, Create page button is disabled.
To create more pages, I tried to send the request to the intruder and fired100 null payloads, but no success as they have some kind of verification.
The next think that came in my mind is to see the requests, so I deleted all the pages and started creating pages again to observe changes in the post request
In the Header there is a parameter with X-company_name-reqid: some_randomvalue + number_ending_with_1,2,3 and so on.
to create unlimited pages I just have to change the value of Header X-company_name-reqid:
x-example-client-version: build-6226 x-example-reqid: randomvalue.2349934923493408030305501,2,3 and so one
and I was able to create unlimited pages.
Accepted as P3 – $XXX dollars