SoliClub Security Analysis
Discovery and responsible disclosure of a critical payment validation flaw in Marmara University's cafeteria (SoliClub) system, found via API interception and reverse engineering.
Problem
The SoliClub payment flow relied on a client-supplied amount. A pre-payment endpoint returned the correct meal price (e.g. 25 TL), but the actual charge was sent to /BKMOdemeAl_v2 via a POST request. The backend did not validate or match this amount against the meal or session, so any authenticated user with a BKM-linked card could submit an arbitrary amount (e.g. 2.5 TL instead of 25 TL) and have that amount debited, effectively bypassing the intended pricing.
Solution
I traced the flow by intercepting app traffic with a proxy (Charles or Proxyman). I observed the endpoint that returns the amount to charge, then the POST to /BKMOdemeAl_v2 with amount and user identifiers. I confirmed the lack of server-side validation by reproducing the issue. I reported the vulnerability to the university IT team under responsible disclosure and later built a proof-of-concept (Next.js/React/Tailwind and a Flask demo) to illustrate the finding without exploiting it further.
Result
The vulnerability was patched after responsible disclosure. For one semester I had been able to pay 2.5 TL per meal instead of 25 TL, which demonstrated the real-world impact. The project highlights skills in API analysis, request interception, reverse engineering and ethical security research alongside web development.