Exploiting 3 Unique Race Condition Bugs to Bypass Limits

Posted on by

My Introduction

Hiyya I am Raunak Gupta, a Security Researcher and Bug Bounty Hunter for fun and profit.

All The Sensitive Data is blurred Due To Privacy Reason

First Target Overview

Redacted.com is an open-source company that provides backend tools for developers. They offer services like authentication, databases, storage, and real-time APIs, helping startups and enterprises build applications quickly without managing complex infrastructure.

Bug Summary

Target was not new to me I was testing on it for like one or two months and there was a basic feature to create a project now main point is a free user can create only two projects, but im a hakor hehe, below is the http request responsible for creating a project.

I intercept this request and send to repeater tab in burpsuite and made 6 to 8 copies of this of this request then i grouped all the request, check image below

Then I choose “Send request in parallel (Single Packet Attack)” and send request

and boom as an free user I got 6 complete working projects, this is classic “paywall bypass”

Note: Many of you may know the target so I request please dont post name on comments.

Now Let’s Learn why This Bug Happened At First Place ?

The vulnerability occurs due to a race condition in the project creation logic. The platform enforces the free-tier project limit through application-level validation, but this check is not atomic at the database layer. When multiple parallel requests are sent, each request independently validates the project count before any insert operation completes. Since there is no row-level locking, transactional isolation, or atomic counter, all requests pass the validation and successfully create new projects. This allows free users to bypass the intended quota restrictions, leading to resource abuse and business logic violation.

here is the h1 data

Second Target Overview

Second target in which i have found race condition was like instagram a user can follow other users post images, videos, comment like repost add story and make account private or public and there was toon of functionlity in it.

Bug Summary

Now second target was new to me after exploring main web app for few hours I tried testing follow user functionality for idor but there was none,

This is the HTTP request to follow a user using their ID, which is a 20-character-long hexadecimal string. Similar to my first target, I sent this request to Repeater and created multiple copies of it. Then, I grouped the requests and selected “Send requests in parallel (Single Packet Attack)”, before sending them.

After this i went back to web-app and checked if there is increase in followers and boom!!

Before
After

Yes it was a duplicate bug again 😎😎

Third Target Overview

Redacted.com is an online platform that provides computer science resources, coding tutorials, and interview preparation materials. They help students and professionals improve their skills in programming, data structures, algorithms, and system design through articles, courses, and practice problems.

Bug Summary

This one was interesting, and I really enjoyed exploiting it. As mentioned earlier, a user can solve coding questions and earn points. That made me wonder what if I tried a race condition on the request responsible for telling the server that my answer is correct and then adding points to my account? For me, that sounded super exciting.

so this is my points before race condition

Then I chose a random coding question and used ChatGPT to get the answer since I’m not good at programming. I pasted the correct code and intercepted the “submit question” request. You can’t see this request in the image above because you first need to click the “Run Code” button in order to get the “submit question” button.

This is the request that carried my original correct answer. The difference with this third bug is that I didn’t stop or forward the request in the proxy > intercept tab because when I did, I only received points once. Instead, while the request was in the intercept tab, I sent it to Repeater and repeated the same steps as before: creating multiple tabs, grouping them, and sending them in parallel.

And boom I received more points than the allotted 70 per answer. Before, my points were 830, and after the exploit, they jumped to 1460. That means I gained a total of 630 points for a single answer.

Bounty Time

This bug was actually on an out-of-scope domain. Only the static site was in scope, which had registration and login buttons that redirected to the dynamic site (out of scope). I felt scammed because the difference between in-scope and out-of-scope was very minor, and I didn’t notice it carefully. They only paid me $50 for this bug even though it was serious enough that I could have ranked myself in the top 1 on their platform. Still, I didn’t argue and respected their decision since it fell under out-of-scope bounty rules.

Connect with me

LinkedIn: https://www.linkedin.com/in/raunak-gupta-772408255/
My Discord server: https://discord.gg/8SSx5Ma9ve
My YouTube Channel: https://www.youtube.com/@BiscuitSecurity/featured

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *