0x17 - Exploiting Race Conditions
Did you know race conditions exploits are some of the best ways to bypass financial-related checks?
Race condition vulnerabilities abuse the server's (improper) way of handling concurrent requests.
They can be used to perform limit-overrun attacks such as:
using the same gift card multiple times
redeeming the same coupon code
bypassing a shop's quantity limits (Nvidia video cards 😉)
How to do it
Find the request that triggers the server-side check (i.e:
/api/check-coupon
)Create a new tab group in
Repeater
Add the same request multiple times to the group (
CTRL+R
)Select
Send group in parallel
Run the attack
Check if more than one response is valid
If you get more than one successful responses for the same coupon/gift card -> race condition was successful