Race Condition Vulnerabilities: A Hands-On Primer — Part 1
Hi Everyone My name is Hashar Mujahid. I am a cyber security student and full-time freelancer. Today we will look at a topic that is difficult for many beginners to get their heads around [ me as well ]. So what is the better way of learning a topic than making a blog about it?
WHAT ARE RACE CONDITIONS:
In Layman’s terms, a race condition occurs when 2 different threads/processes try to access and modify the same data simultaneously. The result of this is the inconsistencies of data in the database.
Let’s discuss a common race condition example to understand the impact. Let’s say we have an e-commerce website where users can purchase items, The web records the quantity of each item in inventory using a database.
User A and User B just made a request to buy the last RTX 4090 graphics card that is available at the website at the same time. Both requests initiated at the same time will access the database and run a query to deduct the remaining quantity from the database at the same time which will result in the quantity being -1. Now both users have already paid for the graphics card but only one is present at the moment in the inventory. This issue on a bigger scale can cause some irreversible damage to the company’s reputation and could result in loss of customer trust.
This is just one of many cases where the race condition can occur like let’s say User A and User B both attempt to register with the username “user1234” at the same time. It will create 2 users with the same username which can lead to confusion and account management issues.
Or User A and User B attempt to redeem a coupon that can only be used once. Both users applied the coupon at the same time both requests were initiated at the same time when checking the validity of the coupon will get the same result that the coupon is valid and then both users will receive the discount when the intended behaviour was to just one person will get the discount.
Now you will have a clear understanding of what are race conditions and their impact.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
RELATION WITH BUSINESS LOGIC FLAWS VULNERABILITIES:
With all the above examples I hope you all noticed that race conditions are linked with business logic flaws like Exceeding coupon limits and registering the same username for multiple accounts. Now we can move on to the type of race condition where we are targeting these flaws to exceed some kind of limit implemented by the developers/organization.
Limit overrun race conditions
As explained by the name this condition allows us to exceed some kind of limit that is imposed by the business logic.
We can reuse the previous example of coupon redeeming but let’s make it more simple.
Let’s say the web allows users to get a 10 percent discount on an item once by applying a coupon. So behind the curtains, there could be multiple operations happening like the Web will first check if the coupon is used before it is valid it will set the used value to true and give a 10 percent discount now let’s try to exploit this with limit overrun race condition.
Suppose a user makes 2 redeeming requests at the same time so when the validity of the coupon is checked both will have a valid coupon and the requests will be successful thus giving a 20 percent discount instead of 10 percent.
Now Let’s demonstrate this practically.
Lab: Limit overrun race conditions:
We have a test lab website from the portswiggers.
We can see we have a promo code that can be used for a 20 percent discount.
Let’s test the race condition on it. First let’s add a product to our cart and apply the coupon.
We can see we got the 20 percent discount we were promised but let’s try to get it for free. Remove the coupon for now and send the request to the intruder where we applied the coupon. Now set the coupon as a payload option.
In payloads add the coupon code like this.
Now start the attack you can increase the request pool from the resource pool. I recommend setting it to 30. Now start the attack we can see we will have multiple successes in the attack.
Now let’s check the discount on the web.
As on the web, we have 1321 dollars of discount and now the jacket only costs 15 dollars. this shows how Race conditions can be disastrous for the business and can account for huge losses.
Now Let’s look Into another example of bypassing / exceeding the limit.
Lab: Bypassing rate limits via race conditions
We have a login page where we have to brute force the password of carlos, But the main hindrance is the login page is locked after 3 unsuccessfully attempts,
Now what we can do is run an intruder on the login request we will be sending multiple requests with different passwords from the list provided by the lab.
Now let’s run the attack.
We can confirm there is a race condition buy looking at our responses we can see we were able to send 10 requests without being locked. So now remove the wrong passwords from the list and run again
Let’s run it again with new passwords.
Now by the process of elimination let's remove the invalid passwords. Make sure you do this in 15 minutes.
The lab resets so I had to repeat and this time we can see a 302 response which probably redirects me back the the dashboard.
Now let’s try this password.
Now we can see we have successfully brute-forced the password for carlos by exploiting the race condition in the website.
Let’s delete the carlos user and complete the objective.
Hopefully, this blog helped you understand the race conditions and some of the exploitation techniques as well.
See you in the next part where we will be doing some advanced techniques to exploit the race conditions.
Till then.
