- Race conditions are a common type of vulnerability closely related to business logic flaws.
- They occur when websites process requests concurrently without verifying. This can lead to multiple distinct threads interacting with the same data at the same time, resulting in a "collision" that causes unintended behavior in the application.
- There are some basic RC tests that you can try in the context of Logic Flaws.
- Invite user
- Joining a group
- Like, subscribe, follow, unfollow, Vote ..etc that required limit.
This method required Burp version 2023.9.x or higher (This is the easiest method to exploit, you can create your own script also.)
1 - Send the request to repeater for 'n' no. of times.
2 - Create a Tab for all those request and choose Send Parallel (single Packet Attack)
3 - Hit send , if application is Vulnerable, you'll see the magic.
1 - Select the parameter in request that you want to bruteforce(let's say password), and send the request into TurboIntruder.
2 - If it is password or something , then wordlist should be copied in your clipboard that and use the below python script in Turbo Intruder.
def queueRequests(target, wordlists):
# as the target supports HTTP/2, use engine=Engine.BURP2 and concurrentConnections=1 for a single-packet attack
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=1,
engine=Engine.BURP2
)
# assign the list of candidate passwords from your clipboard
passwords = wordlists.clipboard
# queue a login request using each password from the wordlist
# the 'gate' argument withholds the final part of each request until engine.openGate() is invoked
for password in passwords:
engine.queue(target.req, password, gate='1')
# once every request has been queued
# invoke engine.openGate() to send all requests in the given gate simultaneously
engine.openGate('1')
def handleResponse(req, interesting):
table.add(req)
3 - Hit Attack and see the magic.
1 - When a single functionality chains with multiple request , eg - Buying a product from a E-Commerce application
- /product --> for the product
- /cart --> Add to cart that product
- /cart/checkout --> Buy that product
2 - Send all the required request into burp repeater for the product you want in a sequence and create a Tab.
3 - Select Send Parallel (single Packet Attack) and hit send.
-
If you've facing a functionality where new objects edit the older object and require email verification, then we can test there for RaceConditions, Eg. Email Change functionality
`Account A : Attacker --> attacker@email.com` `Account B : Victim --> victim@email.com`
1 - Application has email change functionality, where the new requested email is updated over older email, and send the confirmation link to the user email address.
2 - Since, email is updated in DataBase and only confirmation is needed,
3 - So we Send Parallel (Single Packet Attack) of the changing email for,
attacker@email.com
victim@email.com
4 - In Backend, Because we request so much fast that when application server generate confirmation link for attacker@email.com at the same time victim@email.com request is also reach their and application got confused to prioritise , As a result it sends both confirmation links on the same email.
5 - Impact : This will lead to Full Acount Takeover.
1 - Send two parallel forget password request for Attacker i..e Account-A
2 - If both password reset links contains same token, then we can test their for ATO.
3 - This time send both request again by changing victim's username/password in one of them.
4 - Analyze the response time, if both request have same response time, then their might be chances of ATO
- Found in --> HackerOne
- Report describes a Race Condition Vulnerability which
allow an authenticated user to submit the same ctf Flag multiple times. Increasing the user points and therefore the chances to get an invitation to a private program.
- Found in --> Omise
- Race condition vulnerability which
allows the invitation of the same member multiple times to a single teamvia the dashboard.
- Found in --> HackerOne
- By executing
multiple requests to confirm a retest at the same time, a malicious user is paid multiple times for the retest. Thisallows for stealing money from HackerOne, which could go unnoticed by both HackerOne and the attacker.
- Found in --> HackerOne
- Small Race condition bug in which a group
user couldn't be removed from the group even by the adminafter they join.
- Found in --> every.org
- Race condition vulnerability when following a user. If you send the Follow requests asynchronously, you can
follow a user multiple times instead getting an error message.
- Found in --> HackerOne
- This report describes a race condition bug which
allow an authenticated user to upvote or downvote multiple times a single report, increasing its counter (and its rank on the hacktivity page).
- Found in --> HackerOne
- A race condition in https://ctf.hacker101.com/group/join
allows a user to join the same CTF group multiple times.The user will show up in the group member list multiple times, and affect the group statistics.
- Found in --> KeyBase
- Using Race conditions, attacker was
able to send out a total of 7 invites to his throwaway emails, obviously bypassing the 3 no. of invitations limit.
- Found in --> Reverb.com
- I've found a Race Condition vulnerability which
allows to redeem gift cards multiple times. This how an attacker can easily buy stuff just buying one gift card and redeem it over and over again.