I did this with the Papa John's webapp a while back (which was waaaay simpler btw). They limited duplicate toppings to (I think) 3 of the same, but "duplicate_item" was just a numerical property on the (e.g.) "bacon" object. Turns out you could just add multiple "bacon" members to the toppings array to exceed the limit, and they didn't charge for duplicates, so I ordered a pizza with like 50 bacons.
It definitely didn't have 50x worth of bacon, but it did have more than 3x, maybe 5x-6x. The receipt was hilariously long though.
Whenever you do this sort of thing, you should check whether they do negative number checking on the client side or in the API itself. You might be able to get 1 pizza with bacon and (1) pizza without, all for the price of the bacon.
I work for a company with a similar sort of online ordering API, and a while back some enterprising person discovered that:
1. Our API had a hidden "tip" feature; we hadn't exposed it in the storefront yet, mostly because the developer in charge of it had left with it halfway finished, and nobody had picked it back up yet
2. But the API itself was perfectly functional. If you manually submitted an order to the API with a tip set, it would be reflected in the total, would bill your credit card, etc.
3. Except (I'm sure you saw where this is going...) the now-departed dev hadn't added any validation yet. So if you ordered $40 worth of pizza and added a negative $39 tip...boom, nearly free pizza.
We learned a few valuable lessons for the cost of buying a college student a couple of pizzas. :)
We actually debated offering them a job interview when they graduated. If they'd contacted us first, we might have. :) Instead we just fixed the bug, called it a day, and spent a few days reviewing the rest of the API for weak validation.
Good advice; I'm not sure I tried that. The goal wasn't to steal toppings or get free pizza though; it was an impromptu response to my desire for lots of bacon and encountering the duplicate limit, and then a busy signal on the phone. Once I figured out it didn't charge me for more, I just wanted to see what would happen. I figured they'd think it was a system glitch and call when they received the order.
The employee will ignore the negative sign in front of the number and make you that pizza anyway. The calculation of the total is where it might give you free pizza.
Yeah that's what I figured. The wording of the post made it sound like it had something to do with the bacon though. You could just do this for any arbitrary pizza.
The bacon is there so you pay something, a free pizza would be weird even to a minimal wage employee (not that they're dumb, but they probably don't care).
Though that's assuming the people making online orders even bother looking at the amount paid. I don't necessarily see why they would (or why they wouldn't assume you had merely cashed in some sort of promo or balance).
I wonder how did the people on the other end react.
One evening I ordered a pizza on-line to the office. I was too lazy to go out to the nearest grocery store (even if I knew which will be open at those hours) to buy a ketchup bottle, so in the form I added ~16x sachets of ketchup (figured it'll last me a while). I don't think it was more than 5 minutes after submitting the form that my phone rang, with the pizza guy on the other end asking if I really, really want 16 bags of ketchup?
It definitely didn't have 50x worth of bacon, but it did have more than 3x, maybe 5x-6x. The receipt was hilariously long though.