HACKR.GG
hackr.gg — Zeddit — Karma Dashboard Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

Zeddit — Karma Dashboard

Business Logic Vulnerabilities · Business Logic Flaw
Difficulty
Beginner
Vuln class
Business Logic Flaw
Steps
3
// Objective
Exploit the self-voting logic flaw to upvote your own posts and inflate karma beyond what the UI allows.
// Tools required
BrowserBurp Suitecurl
// Step-by-step walkthrough
1
Understand the restriction
Zeddit's UI prevents you from upvoting your own posts. Find the upvote API endpoint by intercepting the request when you upvote someone else's post.
Command / Input
POST /api/posts/12/vote {"direction":"up"}
2
Self-vote via the API
The UI check is client-side only. Call the upvote endpoint directly on one of your own post IDs. The server doesn't validate post ownership.
Command / Input
POST /api/posts/YOUR_POST_ID/vote {"direction":"up"}
Output
{"karma":101}
No error — the server accepted the self-vote. Repeat to inflate karma further.
3
Reach the karma threshold
Keep voting on your own posts until karma reaches the threshold that unlocks the flag (check the dashboard for the target number).
Output
HackrGG{z3dd1t_k4rm4_s3lf_v0t3_g4m3}
// Flag
Flag value
HackrGG{z3dd1t_k4rm4_s3lf_v0t3_g4m3}
Unlocked on the karma dashboard when you exceed the threshold via self-voting.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute