Race Condition Exploit Enables Free Plan Users to Access Premium Features

3 hours ago 5

BOOK THIS SPACE FOR AD

ARTICLE AD

Hello everyone!

I’m Rawan, also known as 0xSecgirl in the cybersecurity community. I’m currently a fourth-year student with a strong passion for penetration testing and bug hunting. Today, I’m thrilled to share my journey of discovering my first-ever bug, a race condition vulnerability that allowed me to bypass a premium feature restriction.

This experience not only gave me a deeper understanding of web application vulnerabilities but also showed me the importance of studying parallel programming, which played a key role in identifying and exploiting this issue. I hope this write-up inspires others to explore the world of bug hunting and take their first steps toward discovering their own vulnerabilities

A race condition can arise in software when a computer program has multiple code paths that are executing at the same time.

This write-up details a race condition vulnerability was identified in the “Team Invitation” feature of example.com, allowing an attacker to
bypass the limitation of inviting only three members to a team under the free plan. By exploiting this flaw, an attacker can send multiple parallel requests to invite more than the allowed limit, violating the platform’s business logic.

I registered an account on the target website and familiarized myself with its functionality as a normal user.
While navigating the site, I observed a feature allowing users to create a team and invite members, with a restriction of up to three members per team.

To exceed this limit, the website offers an option to purchase additional slots.

here my team is 3 and i can’t add any member yet until upgrade plan .

cost to upgrade plan.

I hypothesized that by exploiting a race condition during the member addition process, it might be possible to bypass the limit without making a payment.

Deleted the Third Invitation: I started by clearing the third invitation slot to ensure I could properly test the limit bypass.Navigated to the Team Invitation Section: I accessed the team management page to initiate the invitation process.Captured the Invitation Request: Using Burp Suite, I intercepted the invitation request for further analysis.Sent the Request to Repeater: I forwarded the captured request to Burp Suite’s Repeater tool and duplicated it three times.Modified Emails for Each Request: In each duplicated tab, I replaced the email field with a unique email address to ensure all invitations were distinct.Grouped the Requests: I added all three modified requests into a single tab group in Burp Suite.

Tabgroup and send the request in parallel

7. Executed Parallel Request: Using Burp Suite’s Send Parallel feature, I sent all three requests simultaneously.

8. Observed the Responses: All requests returned a 201 Created status, confirming that the invitations were successfully sent, bypassing the limitation of three members for free accounts.

Response back with 201 Created status, confirming that the invitations were successfully sent

I repeated the process with additional sets of requests, ultimately adding six more invitations to reach a total of nine members in the team, far exceeding the free plan’s limit then I could add unlimited member

Race Condition POC

This is the end of my write-up, Thank you for reading. Feel free to connect with me on linked-in.

Read Entire Article