Today I am going to write about a specific vulnerability which I have found in some of the web applications that I have pentested in past
The vulnerability is race condition .
Description:-As per the OWASP testing guide, “A race condition is a flaw that produces an unexpected result when the timing of actions impact other actions. An example may be seen on a multithreaded application where actions are being performed on the same data.”
Actually it is not easy to test Race conditions, by their very nature.
Then how to detect it??If difficult to test !!!!Wait Lets understand the bug then it would be easy to create test conditions
Anatomy of bug:
lets Try answer this simple question what would happen if you increment a value of variable by n times and then simultaneously decrease its value by n times???
No brain teaser right ,most of the time our answer will be :value remain unchanged. Now lets run the program hosted by me on python2 platfrom and python3 as instructed and try to explain why their is different result.
Web-Application-Pentest-series/Race conditions at main · R0aDt0OSCP/Web-Application-Pentest-series
You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
While running race_with_me.py in my terminal ,see what I got as output
so you can now easily make out that our script is using multithreading and two functions simultaneously working on a shared variable which is why there is unexpected result.
But if you are thinking that its is because of using python2 which is known to have some notorious bugs like this then you are mistaken if you would run my other script in latest python3 version then also you would notice this kind weird behavior in value of variable.
What’s is defense to avoid such unexpected cases
So the key to prevent a race condition is to find a way to synchronize or strictly control the order of operations in potentially vulnerable functions and actions. The best way to do this is through implementing locks. Like lock a process when one function is doing operation in variable post operation lock should get free and other function should be allowed access.
Though Modern Most programming languages have a built-in locking functionality for data; for example, Python has “threading.Lock”.
How much this is relevant in web hacking
To test the bug I used a buggy PHP application mimicking as a banking application and used turbo intruder burpsuite plugin for exploting the bug
For more kindly watch this video:-
Bug That I found
Ok so it was private program where one feature of application allowed me to use a coupon code for reducing the flight charges normally one coupon was allowed by the application per user. However due to lapse in the application defense I was able to use that discount multiple times to reduce my flight charges.
Sorry At the time of writing I don't have any dummy application too showcase that bug(will bring up it soon in my channel)
key factors that are to be kept in mind are:
- Race condition bugs are found mostly in endpoints where some kind of resources can be add/remove/changed by user .
- There may not be immediate success so try again and again .
- Try using parallel threads while making changes on the particular resource at the same time .
- use Burp plugin like turbointruder for making your exploitation easy
GitHub - PortSwigger/turbo-intruder: Turbo Intruder is a Burp Suite extension for sending large…
Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results. - GitHub…
5. You may also use race-the-web below
GitHub - TheHackerDev/race-the-web: Tests for race conditions in web applications. Includes a…
Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration…
As a foot note read this awesome article
Hacking Starbucks for unlimited coffee
This is a story about how I found a way to generate unlimited amount of money on Starbucks gift cards to get life-time…
Thanks for reading ! Have a great day :)