A Race Against Time
Updated: Aug 28, 2022
There was a delivery service that was introduced to the company I work for. They allowed employees to order groceries without a shipping fee, and get them on the same day.
I was curious and checked a couple of things on the website (security-wise). There were many requests, and I tested some things. After not finding anything interesting, I stopped.
I got back to it a few weeks or probably months later. I really wanted to find something in there, especially since I did not find anything the last time.
Now, this platform usually targets companies and after an onboarding session with a representative, they give you some credits. I will get back to it later.
I registered an account. I wanted to see if there was something interesting on the account's profile page, so I went there.
Let's see what happens when I press "Save" for the account's details.
Hmm, the server's response contained parameters that caught my eye ('store_credits', 'onboarded' and 'verified').
'store_credits' probably refers to money and the 'onboarded' parameter refers to the onboarding process I mentioned earlier.
I added the 'store_credits' parameter to the request in order to change my credits. Sending normal values or unexpected values did not change the number of credits.
Let's try to change the 'onboarded' and 'verified' values to 'true'.
Okay, it worked and now I am onboarded and verified. Wait for a second, I also gained credits (3000 credits which are equivalent to 30 New Israeli Shekels)!
Let's try to send it again, maybe I will get even more credits!
Unfortunately, it did not work.
So we have an authorization bypass here. We can onboard and verify our account and get credits for that.
Then a thought came to my mind and I asked myself - is there a chance there is a race condition here?
As per the OWASP testing guide: “A race condition is a flaw that produces an unexpected result when the timing of actions impact other actions".
For example, in this web application, if there is a race condition, the system will process these requests simultaneously while increasing my credits over and over before noticing that my account is already onboarded.
I created a new account (with 0 credits), prepared the same request, sent it to Burp Suite Intruder (a tool that automates attacks) and sent it many times using a large number of concurrent requests.
This is what I got from the server's response. It looks like it did not affect the credits and I only got 20 NIS. 😭
Also, on the catalog page, it seemed that I only got the 20 NIS discount.
I probably wanted to test further issues when I entered the cart and was surprised to discover that it worked and I have a discount of much more credits than I should have (I should have 20 NIS discount and got 60 NIS).
Here I could get only 60 NIS, but I also succeeded to do that with 120 NIS.
Race condition is fun!