Disabling only waf fucntion with exhausting account-security, leads to reach app function without any filter.
Triggering exception in waf function, make pricing only account-security without propagation to app function.
Same solution with version 2.0 challenge.

Original writeup (https://eine.tistory.com/entry/Hacklu-CTF-2020-Web-FluxCloud-Serverless-10-20-Confession-Write-up).