Vulnerability for Harry’s Bar iPhone App
Harry’s Bar made this iPhone app which allows its customers to win prizes when patronizing its premises.
It is possible to win the grand prize of a bucket of Harry’s Beer by doing a MITM using Burp or another other proxy tool.
The server name is exhost.se. As you can see here, they did not prevent directory browsing.
Venues.xml looks interesting, it shows the probability for winning a certain prize as well as the ID for the prizes.
By doing a MITM and change the incoming ID to 6, you will be able to win a bucket of Harry’s Beer every single time.