Real-World Example of Race Condition Exploits “adding Money”

6 months ago 44
BOOK THIS SPACE FOR AD
ARTICLE AD

Dr404

Hello friends,

This is my first write-up, and I discuss how I can add more money to my account with race condition vulnerability.

Race conditions are a type of vulnerability often tied to business logic flaws, arising when websites handle concurrent requests without sufficient protections. This can allow multiple threads to access the same data simultaneously, leading to collisions that trigger unintended application behavior. In a race condition attack, strategically timed requests deliberately cause collisions to exploit this behavior for malicious ends.

let’s start

The mobile app has a function to invite friends, and both of you can earn money.
1:making 2 accounts and invite account B.
after inviting account B you will get the reward to scratch and get money from 1$ to 100$

2: Trun on the intercept and send the scratch request
request will be like:

3:Make sure you have turbo intruder extension,you can download it from burp extensions.
Click extensions > turbo intruder> send to turbo intruder.
4:go to turbo intruder section and select race-single-packet-attack.py.
add “$S= “ and click attack.

5: The script race-single-packet-attack.py will send the request 100 times at the same time, and the server can't deal with all requests simultaneously, resulting in adding more than one reward, as shown in the picture.

“The money has been added to my account 5 times and is now available for withdrawal.”

Thanks for reading

Read Entire Article