First of all, What is a race condition ?

Race condition occurs when two or more threads can access shared data and they try to change it at the same time. If you have a hard time understanding theoretical stuff, let me give you an example. Let’s say a user has bank accounts A and B. Both A and B has an amount of 500$.

As you can see we transferred 300$ times from A to B two times. And there is no problem. However, if these two transfers were to perform simultaneously, we may see some problems.

We’ve encountered a race condition and transferred 600$ from A to B, even the bank account A got 300$ in the beginning.

My Finding

So the target company is a marketplace for drinks, and there is an monthly subscription. If you are subscribed to the service, you get an free sample every month. The product shows up on your profile and you can add to your basket. I clicked to add basket and captured the request to see what i can do.

So as soon as i saw the id’s i tried IDOR but there wasn’t an IDOR. So i thought of changing the quantity, i mean this is a sample and free so the quantity can be 10–15 and the price will be still 0. I changed the quantity to 3 and sent the request, but they tought of this one too. So i said why not trying race condition, sent the request to turbo intruder and after i saw all 200’s and took a loook at the responses, i understood there was an race condition.

I love race condition bugs because they are easy to exploit even and very impactful.

If you have questions to ask me, you can contact me on Twitter.