🏎️Race conditions

https://portswigger.net/web-security/learning-paths/race-conditions

The most well-known type of race condition enables you to exceed some kind of limit imposed by the business logic of the application.

Like a promotion coupon that lets you enter the code once and checks if you did not already use it

But we could imagine the following situation where we submit twice the coupon in a short timestamp:

the sub-state begins when the server starts processing the first request, and ends when it updates the database to indicate that you've already used this code.

Detecting and exploiting limit overrun race conditions

First we must identify a single or limited rate endpoint and the challenge is timing the requests so that at least two race windows line up, causing a collision.

With the network jitter of burp, we can send multiple requests at once:

Lab: Limit overrun race conditions

We immediately see the discount code:

We try to trigger some interesting responses and encounter the first one:

we see the coupon is flagged as already used

so we send it to the turbo intruder:

We then use the code single packet attack provided by burp:

We run the attack, and see that our coupon has been added a second time:

If we repeat the action multiple times we will be able to go down enough to be able to purchase the jacket:

PreviousNoSQL injectionNextWeb LLM attacks

Last updated