Race Condition
RACE CONDITIONS
What is Race conditions ?
Race conditions are a common type of vulnerability closely related to business logic flaws.
They occur when websites process requests concurrently without verifying. This can lead to multiple distinct threads interacting with the same data at the same time, resulting in a "collision" that causes unintended behavior in the application.
Limit over run RC (Exploiting Logic Flaws)
There are some basic RC tests that you can try in the context of Logic Flaws.
Invite user
Joining a group
Like, subscribe, follow, unfollow, Vote ..etc that required limit.
This method required Burp version 2023.9.x or higher (This is the easiest method to exploit, you can create your own script also.)
1 - Send the request to repeater for 'n' no. of times
.
2 - Create a Tab for all those request and choose Send Parallel (single Packet Attack)
3 - Hit send , if application is Vulnerable, you'll see the magic.
Rate-Limit Bypass via RC
1 - Select the parameter in request that you want to bruteforce(let's say password), and send the request into TurboIntruder
.
2 - If it is password or something , then wordlist should be copied in your clipboard that and use the below python script in Turbo Intruder.
3 - Hit Attack and see the magic.
Multi-Endpoint Race Conditions
1 - When a single functionality chains with multiple request , eg - Buying a product from a E-Commerce application
2 - Send all the required request into burp repeater for the product you want in a sequence and create a Tab.
3 - Select Send Parallel (single Packet Attack)
and hit send.
Single Endpoint RaceCondition
If you've facing a functionality where new objects edit the older object and require email verification, then we can test there for RaceConditions, Eg. Email Change functionality
1 - Application has email change functionality, where the new requested email is updated over older email, and send the confirmation link to the user email address.
2 - Since, email is updated in DataBase and only confirmation is needed,
3 - So we Send Parallel (Single Packet Attack)
of the changing email for,
4 - In Backend, Because we request so much fast that when application server generate confirmation link for attacker@email.com
at the same time victim@email.com
request is also reach their and application got confused to prioritise , As a result it sends both confirmation links on the same email.
5 - Impact : This will lead to Full Acount Takeover.
Time Sensitive Vulnerabilities
1 - Send two parallel forget password
request for Attacker i..e Account-A
2 - If both password reset links contains same token
, then we can test their for ATO.
3 - This time send both request again by changing victim's username/password in one of them
.
4 - Analyze the response time, if both request have same response time
, then their might be chances of ATO
REAL World Cases : (H1 reports)
1 - Race condition in flag submission
Report describes a Race Condition Vulnerability which
allow an authenticated user to submit the same ctf Flag multiple times
. Increasing the user points and therefore the chances to get an invitation to a private program.
2 - Race condition on Invite user action
Race condition vulnerability which
allows the invitation of the same member multiple times to a single team
via the dashboard.
3 - Race condition in performing retest allows duplicated payments
By executing
multiple requests to confirm a retest at the same time
, a malicious user is paid multiple times for the retest. Thisallows for stealing money from HackerOne
, which could go unnoticed by both HackerOne and the attacker.
4 - Race Condition leads to Un-Deletable group member
Small Race condition bug in which a group
user couldn't be removed from the group even by the admin
after they join.
5 - Race Condition when following a user
Race condition vulnerability when following a user. If you send the Follow requests asynchronously, you can
follow a user multiple times instead getting an error message
.
6 - Race Conditions in Popular reports feature.
This report describes a race condition bug which
allow an authenticated user to upvote or downvote multiple times a single report
, increasing its counter (and its rank on the hacktivity page).
7 - Race condition in joining CTF group
A race condition in https://ctf.hacker101.com/group/join
allows a user to join the same CTF group multiple times
.The user will show up in the group member list multiple times, and affect the group statistics.
8 - Race conditions can be used to bypass invitation limit
Using Race conditions, attacker was
able to send out a total of 7 invites to his throwaway emails, obviously bypassing the 3 no. of invitations limit
.
9 - Race Condition allows to redeem multiple times gift cards.
I've found a Race Condition vulnerability which
allows to redeem gift cards multiple times
. This how an attacker can easily buy stuff just buying one gift card and redeem it over and over again.
Last updated