Race Conditions

A race condition occurs when two threads or processes are trying to access the same resource at the same time. This issue can lead to multiple distinct threads interacting with the same functionality at the same time resulting in a collison that causes unintended behaviour in the application. For example consider a discount code which can only be used one time during checkout what the application does is

Ask user to input discount code;
check in the database if discount code is already used by this user;
if is_used != True
apply discount by subtracting certain amount from cart total
set is_used = True

During this period as soon as the application asks the user to enter the discount code if two or more requests is sent for applying the discount code even before it reaches is_used check in the application we can leverage this to buy product at unintended price.

Similar scenarios

Redeeming a gift card multiple times
Rating a product multiple times
Withdrawing or transferring cash in excess of our account balance

Testing for race condition using burpsuite

Send the functionality request to repeater 10 or 20 times and drop the original request
click on + button on repeater tab and and select Create Tab Group
On send button click the drop down and select Send group in parallel(Single Packet Attack)
Also works on burpsuite community.

IP Block bypass using race condition

Here, the application is checking username and password from post request if it is valid we are logged in else until and unless the acutal password does not match the value of password provided from the post request it says invalid password and increases the ip block if ip block counter exceeds 3 the account is locked out.

username = $_POST['username'];
password = $_POST['password'];
valid_password = "carlos123"
ip_block_counter = 0;

if ($_POST['password'] == $valid_password) {
    login($_POST['username']);
} else {

	WHILE($_POST['password'] != valid_password) {

	echo "Invalid password";
	ip_block_counter++;

	if(ip_block_counter > 3) {

		account_lock($_POST['username'])
		break;
	}

}
}

Above race condition can occur. If 30-40 requests containing different password value is sent in parallel before it is able to increase the counter we may be able to login in into the application.

Here, we can use turbo intruder's single packet attack

def queueRequests(target, wordlists):

    # as the target supports HTTP/2, use engine=Engine.BURP2 and concurrentConnections=1 for a single-packet attack
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=1,
                           engine=Engine.BURP2
                           )
    
    # assign the list of candidate passwords from your clipboard
    passwords = wordlists.clipboard
    
    # queue a login request using each password from the wordlist
    # the 'gate' argument withholds the final part of each request until engine.openGate() is invoked
    for password in passwords:
        engine.queue(target.req, password, gate='1')
    
    # once every request has been queued
    # invoke engine.openGate() to send all requests in the given gate simultaneously
    engine.openGate('1')


def handleResponse(req, interesting):
    table.add(req)

In hackerone capture the flag race condition existed in flag submission which allowed submission of same flag multiple times in a single packet to get extra point for the submission.
Able to add members in a group or team in an application? The application only allows maximum 2 members but using race condition can add more than 2.
User1 is able to invite another user through coupon code suppose user1 clicks on invite a user functionality he gets a coupan code 2335D. User2 is able to input this coupan code after creating an account and signing in into the application which shows successfully invited User2 in dashboard of User1. If user2 spends $200 on the application User1 who invited him gets $100. During inputting coupan code by user2 race condition existed where multiple threads can be used to enter the coupon code at same time in parallel which showed successfully invited User2 20 times in dashboard of User1. SO if user2 spends $200 user1 gets 100*18 = $1800

PreviousAttacking Authentication NextBusiness Logic Vulnerabilities

Last updated 10 months ago

Ask user to input discount code; check in the database if discount code is already used by this user; if is_used != True apply discount by subtracting certain amount from cart total set is_used = True

IP Block bypass using race condition

username = $_POST['username'];
password = $_POST['password'];
valid_password = "carlos123"
ip_block_counter = 0;

if ($_POST['password'] == $valid_password) {
    login($_POST['username']);
} else {

	WHILE($_POST['password'] != valid_password) {

	echo "Invalid password";
	ip_block_counter++;

	if(ip_block_counter > 3) {

		account_lock($_POST['username'])
		break;
	}

}
}

Above race condition can occur. If 30-40 requests containing different password value is sent in parallel before it is able to increase the counter we may be able to login in into the application.

Here, we can use turbo intruder's single packet attack

def queueRequests(target, wordlists):

    # as the target supports HTTP/2, use engine=Engine.BURP2 and concurrentConnections=1 for a single-packet attack
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=1,
                           engine=Engine.BURP2
                           )
    
    # assign the list of candidate passwords from your clipboard
    passwords = wordlists.clipboard
    
    # queue a login request using each password from the wordlist
    # the 'gate' argument withholds the final part of each request until engine.openGate() is invoked
    for password in passwords:
        engine.queue(target.req, password, gate='1')
    
    # once every request has been queued
    # invoke engine.openGate() to send all requests in the given gate simultaneously
    engine.openGate('1')


def handleResponse(req, interesting):
    table.add(req)

In hackerone capture the flag race condition existed in flag submission which allowed submission of same flag multiple times in a single packet to get extra point for the submission.

Able to add members in a group or team in an application? The application only allows maximum 2 members but using race condition can add more than 2.

User1 is able to invite another user through coupon code suppose user1 clicks on invite a user functionality he gets a coupan code 2335D. User2 is able to input this coupan code after creating an account and signing in into the application which shows successfully invited User2 in dashboard of User1. If user2 spends $200 on the application User1 who invited him gets $100. During inputting coupan code by user2 race condition existed where multiple threads can be used to enter the coupon code at same time in parallel which showed successfully invited User2 20 times in dashboard of User1. SO if user2 spends $200 user1 gets 100*18 = $1800