Rating: 5.0
* Inject an additional `amount` field into the signed message by using a username like `FRONTEND_USERNAMEamount1337`
* The resulting message is then `userFRONTEND_USERNAMEamount1337amount0nonceNONCE`
* Perform parameter pollution on the frontend: `GET /callback?user=FRONTEND_USERNAME&amount=1337&amount=0&nonce=NONCE&sig=SIGNATURE.`
[Read the writeup here](https://ctf.zeyu2001.com/2021/cybersecurityrumble-ctf/payback)
