Worked on #gj1TG this week.
Found stored XSS vulnerability on a few places of the system. The application also caches the password in the browser in plaintext which was very interesting to find.
However, I missed out 1 vulnerability which was the ability to change the amount to be paid. This is because I missed out the last part of a multi-part process.
Request -> confirm -> pay
I've tested the request -> confirm portion but forgot to test confirm -> pay. Learnt to be more thorough in the future. Especially when it comes to transaction.