Lab: Limit overrun race conditions
Predict a potential collision
After successfully starting the exercise, the shop should look something like the screenshot. We now log in with the user name wiener and the password peter. We access the login via the link "My account".
After successful registration, we search the shop for the cheapest product so that we can study the sales process. It may be that a different product is the cheapest in your shop.
We now add this product to our shopping basket. To do this, we click on ‘View details’ and go to the product page, if we scroll down here, we see the button ‘Add to cart’. By clicking on this button, we add the product to our shopping basket.
When we are on the start page of the shop, we can see in the top right-hand corner that there is now a product in our shopping basket. Click on the shopping basket to open it.
The shopping basket should now contain the cheapest product. The shopping basket mechanism, and in particular the restrictions that determine what we can order, are worth trying to work around. The shopping basket should look like this:
Now we place a complete order. To do this, we enter the voucher code ‘PROMO20’ in the field provided and click on the ‘Apply’ button, then we have to click on the ‘Place order’ button to finalise the order.
After sending the order we receive the following message.
We now switch to the Burp Proxy and open the "HTTP history" there. In the "HTTP history" we search for all requests that enable interaction with the shopping basket. For example, the request POST /cart adds an item to the shopping basket. The request POST /cart/coupon adds a voucher code to the shopping basket.
We send these two requests to the Burp Repeater in order to carry out some experiments. To do this, we move the mouse over the first request and press the right mouse button. A context menu opens in which we select the option "Sent to Repeater". We do the same with the second query.
We can only apply the POST /cart/coupon request once to our basket, if we try to apply the coupon a second time we will get the following message in the Response section.
HTTP/2 302 Found
Location: /cart?couponError=COUPON_ALREADY_APPLIED&coupon=PROMO20
X-Frame-Options: SAMEORIGIN
Content-Length: 22
Coupon already appliedWe now go back to the Burp Proxy and there to "HTTP history". Here we search for the request GET /cart and also send it to the Burp Repeater. Right-click on the request and select "Send to Repeater" in the context menu.
In the Burp Repeater, we now send the GET /cart request twice to the application. The first time with the Cookie header and the second time without the Cookie header.
Everything seems to be normal. We have a product in the shopping basket. Now we send the request without the Cookie header and see that the shopping basket is empty.
We can conclude from this that the status of the shopping basket is saved in our session on the server side and that all operations with the shopping basket are linked to our session ID or our user ID. It should be noted that there may be a time window between the time a discount code is first used and the time the database is updated to document the successful use of the discount code.
Benchmark the behavior
We now make sure that there is no voucher code left in our shopping basket. To do this, we click on the "Remove" button in the shopping basket.
Now we switch to the Burp Repeater and open the query POST /cart/coupon. We now create a new tab group by clicking on the "+" next to our requests in the Burp Repeater.
A menu will open where we select the option "Create tab group".
In the window that appears, we enter the group name "RC-1" and select the tab with the request POST /cart/coupon, in this example the query "2". We close the window by clicking on the "Create" button. Further information on creating tab groups can be found in the Burp Suite documentation.
Now we right-click on a request in the group of tabs we have just created. A menu appears in which we select the option "Duplicate tab".
In the next menu we enter the number of tabs, in this exercise it is "19", and then click on "Duplicate". The new tabs are now automatically added to our "RC-1" group.
Our tab group now contains 20 requests.
Now we want to send this group one after the other via separate connections. To do this, we click on the down arrow to the right of the "Send" button.
In the menu we select the option "Send group in sequence (separate connections)".
The "Send" button should now look like this:
If you encounter problems, you can search for solutions in the Burp Suite documentation. We now start the attack by clicking on the "Send group (separate connections)" button. We see that the first response confirms that the coupon has been successfully applied, but all other responses reject the code with the same message "Coupon already applied". The following screenshot shows the response to the first request:
The responses to all other requests contain the message "Coupon already applied". As an example, here is the second request including the response:
Probe for clues
We now switch to the browser and remove the coupon code from our shopping basket again.
After removing the coupon code, we switch to Burp Repeater and change our attack from "Send group in sequence (separate connections)" to "Send group in parallel (single-packet attack)".
Our button should now look like this:
If you have any questions about sending requests in parallel, you can consult the Burp Suite documentation. We start the attack by clicking on the "Send group (parallel)" button. If we now look at the responses of the various requests, we can see that several requests contain the message "Coupon applied" in their responses. This means that the voucher code has been applied to the shopping basket more than once. We can confirm this in the browser:
As you can see, the discount for our order is $0.74, so we have received a discount of well over 20%. If you get a different result or no result at all, remove the voucher code from your shopping basket and try again.
Prove the concept
Now we want to buy the "Lightweight ‘l33t’ Leather Jacket". To do this, we switch to the browser and remove the product from the shopping basket. Now we add the "Lightweight ‘l33t’ Leather Jacket" to our shopping basket.
Now we switch to the Burp Repeater and start our attack by clicking on the "Send group (parallel)" button. If we now look at the responses to the various requests, we can see that several requests contain the message "Coupon applied" in their responses. This means that the coupon code has been applied to the shopping basket more than once. If we now switch to the browser and refresh our shopping basket, we can see how many times the coupon code has been applied.
We now click on the "Place order" button and have completed the exercise.
Video solution
Last updated