.png)
4 hours ago
6 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello, everyone. I’m Viperblitzz. Today, I will share my findings about Race condition vulnerabilities and give a brief overview of the features that are subject to race condition vulnerabilities.
Once, when I was on holiday at the weekend, I accidentally discovered a company that operates in the service sector. At that time it crossed my mind to try hunting. First I created an account on the company’s website, then I tried logging out to try to find vulnerabilities on the website’s home page which had a forgotten password feature. After I found out, it turns out that the website has several optional features for sending forgotten password verification codes in various ways, including via WhatsApp number and also SMS. However, what caught my attention was trying to send the forgotten password verification code via SMS.
Without further ado, let’s get straight to the main topic of discussion.
Reported from the portswigger.net page. Race condition vulnerability is a condition that can occur on a website that processes a huge number of requests and is sent to the server simultaneously without adequate protection from the server. The most well-known type of race condition allows you to exceed some clarity of limitation imposed by the application’s business logic. For example, there are e-commerce sites that will enable you to use one type of discount coupon repeatedly, which should not be the case. To find out a more detailed explanation, you can read it on the portswigger.net site.
1. Create an account on target.com, then log out.
2. On the login page, there is a forget password feature. Enter the telephone number that was previously registered with the intention that the verification code will be sent via SMS number.
3. Capture the request, then store the request on the repeater.
4. The attacker copies the request in quite large numbers. Then the attacker sends all the copied requests simultaneously (Send group in parallel).
5. OTP code messages were successfully sent to the attacker’s SMS numbers in quite large numbers.
With this vulnerability, attackers can spam forgotten password verification codes sent via SMS. This can cause large losses, especially in the company’s financial sector, because for every request sent via SMS, the company has to pay for the SMS message. SMS verification requests will also consume the website’s CPU and memory which may cause poor performance issues.
Because I cannot provide a valid PoC video and detail I will provide an overview through the explanatory video provided by portswigger. Please note that the attack techniques/schemes on legitimate PoC videos are not much different from the videos described by Portswigger. I also found this vulnerability inspired by the race condition explanation created by Portswigger.
14 September submit the report.
18 October the report was declared valid.
18 October pending bounty.
22 October bounty awarded.
Bengali (Bangladesh) · 
English (United States) ·