Race Condition

Race Condition

Overview of the Vulnerability

A race condition is a queued task executed by an application that is forced to execute multiple functions in parallel. As a result, the application logic can break. An attacker can abuse a race condition in this application to call a function multiple times to break the application’s logic, causing unintended consequences.

Business Impact

This race condition vulnerability can lead to reputational damage for the business due to a loss in confidence and trust by users.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Use a browser to navigate to: {{URL}}

3. Fill in the form and send the request

4. Intercept the following request in a web proxy:

{{Request}}

1. Use {{program}} to exploit the race condition

Proof of Concept (PoC)

The screenshot(s) below demonstrates the race condition:

{{screenshot}}

Recommendation(s)

It is recommended to synchronize and control the order in which operations execute. This can be achieved through locking functionality within many programming languages.

For further information, please see the following resource:

• https://cwe.mitre.org/data/definitions/362.html

• https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/08-Testing_for_Session_Puzzling