Race Condition Vulnerabilities

RoadToOSCP
3 min readJan 5, 2023

Hello OutThere

Today I am going to write about a specific vulnerability which I have found in some of the web applications that I have pentested in past

The vulnerability is race condition .

Description:-As per the OWASP testing guide, “A race condition is a flaw that produces an unexpected result when the timing of actions impact other actions. An example may be seen on a multithreaded application where actions are being performed on the same data.”

sound simple???

Actually it is not easy to test Race conditions, by their very nature.

Then how to detect it??If difficult to test !!!!Wait Lets understand the bug then it would be easy to create test conditions

Anatomy of bug:

lets Try answer this simple question what would happen if you increment a value of variable by n times and then simultaneously decrease its value by n times???

No brain teaser right ,most of the time our answer will be :value remain unchanged. Now lets run the program hosted by me on python2 platfrom and python3 as instructed and try to explain why their is different result.

While running race_with_me.py in my terminal ,see what I got as output

so you can now easily make out that our script is using multithreading and two functions simultaneously working on a shared variable which is why there is unexpected result.

But if you are thinking that its is because of using python2 which is known to have some notorious bugs like this then you are mistaken if you would run my other script in latest python3 version then also you would notice this kind weird behavior in value of variable.

What’s is defense to avoid such unexpected cases

So the key to prevent a race condition is to find a way to synchronize or strictly control the order of operations in potentially vulnerable functions and actions. The best way to do this is through implementing locks. Like lock a process when one function is doing operation in variable post operation lock should get free and other function should be allowed access.

Though Modern Most programming languages have a built-in locking functionality for data; for example, Python has “threading.Lock”.

How much this is relevant in web hacking

To test the bug I used a buggy PHP application mimicking as a banking application and used turbo intruder burpsuite plugin for exploting the bug

For more kindly watch this video:-

Bug That I found

Ok so it was private program where one feature of application allowed me to use a coupon code for reducing the flight charges normally one coupon was allowed by the application per user. However due to lapse in the application defense I was able to use that discount multiple times to reduce my flight charges.

Sorry At the time of writing I don't have any dummy application too showcase that bug(will bring up it soon in my channel)

key factors that are to be kept in mind are:

  1. Race condition bugs are found mostly in endpoints where some kind of resources can be add/remove/changed by user .
  2. There may not be immediate success so try again and again .
  3. Try using parallel threads while making changes on the particular resource at the same time .
  4. use Burp plugin like turbointruder for making your exploitation easy

5. You may also use race-the-web below

As a foot note read this awesome article

Thanks for reading ! Have a great day :)

--

--