0x17 - Exploiting Race Conditions

Did you know race conditions exploits are some of the best ways to bypass financial-related checks?

Race condition vulnerabilities abuse the server's (improper) way of handling concurrent requests.

They can be used to perform limit-overrun attacks such as:

  • using the same gift card multiple times

  • redeeming the same coupon code

  • bypassing a shop's quantity limits (Nvidia video cards 😉)



How to do it

  1. Find the request that triggers the server-side check (i.e: /api/check-coupon)

  2. Create a new tab group in Repeater

  3. Add the same request multiple times to the group (CTRL+R)

  4. Select Send group in parallel

  5. Run the attack

  6. Check if more than one response is valid

If you get more than one successful responses for the same coupon/gift card -> race condition was successful


References