I was playing around with Stripe's source code for last year's CTF,
and from what I could see online, most people solved Level 4 by using XSS in
the password field. But look at the following line in srv.rb:
unless username =~ /^\w+$/
ie("Invalid username. Usernames must match /^\w …