Insufficient workflow validation

imagine we have this website.

let’s try to by the jacket.

now let’s place the order.

and as expected we got no enough credit.

now let’s remove the jacket and try to make a successful purchase and see how the application behave.

now we have money for that product

let’s place the order.

and we bought it.

now let’s see the burp and see what happen.

notice that we have this parameter order-confirmed and it’s value is true

the scenario is imagine that the backend validate only that we have the money if this request was sent which mean we can place the jacket into the cart and send this request and it will be orderd!

now let’s try to add the jacket to the cart.