Time Sensitive Attacks

Sometimes you may not find race conditions, but the techniques for delivering requests with precise timing can still reveal the presence of other vulnerabilities.

One such example is when high-resolution timestamps are used instead of cryptographically secure random strings to generate security tokens.

Consider a password reset token that is only randomized using a timestamp. In this case, it might be possible to trigger two password resets for two different users, which both use the same token. All you need to do is time the requests so that they generate the same timestamp.

Methodology

• Click on My account button and then Forgot password link

• Enter the username to reset the password

• Send the POST /forgot-password request to burp repeater

• Make a copy of the request

• Now send the GET /forgot-password request to the repeater and remove the session id and then send the request to get a new session id and csrf token

• Now modify the one POST request to the new session id and csrf token and change the username to the victim user

• Now combine both the POST requests into a single group (Remember, do not combine the GET request)

• Send the request as parallel

• Now check the email client

• Copy the password reset link and paste it into a new browser tab, then change the username to the victim user

• Update the victim user password to a new one

REFERENCES

• https://portswigger.net/web-security/race-conditions

• https://portswigger.net/web-security/race-conditions/lab-race-conditions-exploiting-time-sensitive-vulnerabilities