Lab: Single endpoint race conditions

Predict a potential collision

After starting the exercise, the shop should look like the screenshot. We click on the ‘My account’ link at the top right.

In the login window we enter our user name wiener and the password peter and click on the button ‘Log In’.

In our account, we now try to change our e-mail address. To do this, we enter any address in the ‘Email:’ field in the following form:

hacker1@exploit-0a5600b00428f10380b852da01410025.exploit-server.net

Email

DON'T FORGET! The domain exploit-0a5600b00428f10380b852da01410025.exploit-server.net is a different one for you.

After we have entered the new email address, we send the form by clicking on ‘Update email’.

We now receive the message ‘Please click on the link in your email to confirm the change of email: hacker1@exploit-0a5600b00428f10380b852da01410025.exploit-server.net’.

To be able to click on the link, we need to switch to our email client. To do this, we click on the ‘Email client’ button at the top.

Our mailbox now contains the e-mail about our change of address. If we click on the ‘View raw’ link on the far right, we can view the content of the email.

Now we can examine the content of the mail more closely. We notice that there is a unique token in line 7.

Sent:     2025-03-15 07:07:03 +0000
From:     no-reply@0a5c004604e4f1ea803953ed00a70001.web-security-academy.net
To:       hacker1@exploit-0a5600b00428f10380b852da01410025.exploit-server.net
Subject:  Please confirm your e-mail

<p>To confirm your email change to hacker1@exploit-0a5600b00428f10380b852da01410025.exploit-server.net, click the link below</p>
<a href="https://0a5c004604e4f1ea803953ed00a70001.web-security-academy.net/confirm-email?user=wiener&token=BKnqcpIIl52v4P1H">
    Click here to confirm.
</a>

We now return to our mailbox and click on the link ‘Click here to confirm’ to confirm the change of address.

We receive the message ‘Your email has been successfully updated’ and see in ‘My Account’ that our new email address has been entered.

We now change our e-mail address twice more to study the behaviour of the address change more closely. The first new address is:

hacker2@exploit-0a5600b00428f10380b852da01410025.exploit-server.net

Fill in the form and send it off.

The change has been sent successfully.

Do not switch to the email client and click on the confirmation link!

The second address is:

hacker3@exploit-0a5600b00428f10380b852da01410025.exploit-server.net

Fill in the form and send it off.

The change has been sent successfully.

Now we switch to our mail client and take a closer look at the confirmation emails we have received.

As we can see, we have received the two confirmation emails in our mailbox.

Now we click on the link ‘Click here to confirm’ in the second email from above. The recipient of the email is hacker2. We receive the message ‘This link is invalid’, which means that the activation link is no longer valid and can therefore no longer be used. From this we can conclude that the website only stores one outstanding email address at a time. Since the transmission of a new e-mail address means that this entry is processed in the database and not supplemented, collisions may occur. We click on the confirmation link of the first email, the recipient is ‘hacker3’ and then click on the link ‘My account’, there we see our new email address hacker3@exploit-0a5600b00428f10380b852da01410025.exploit-server.net.

Benchmark the behavior

We now switch to the Burp Proxy and open the ‘HTTP history’ tab. In the ‘HTTP history’ we search for a POST request to the endpoint /my-account/change-email.

We now send this request to the Burp Repeater. To do this, we move the mouse over the request and press the right mouse button. A context menu appears in which we select the option ‘Send to repeater’.

Now we switch to the Burp Repeater and create a tab group there. To do this, we click on the plus sign next to the tab and select the option ‘Create tab group’.

A window appears in which we enter a name for the tab group, here ‘RC-4’ is used as the name. The first and only tab is selected in the second section. We then click on the ‘Create’ button.

Now we right-click on the tab in our tab group and select the ‘Duplicate tab’ option.

In the window, we specify how often we want to duplicate the tab. We enter ‘19’ there.

If you need more information about creating tab groups, you can find it in the Burp Suite documentation.

The tab group should now look like this.

Now we need to adjust the email address in all tabs. We will use the name test plus a number starting with 1. The first mail address would therefore look like this:

test1@exploit-<YOUR-EXPLOIT-SERVER-ID>.exploit-server.net

The second e-mail address would then be:

test2@exploit-<YOUR-EXPLOIT-SERVER-ID>.exploit-server.net

The last e-mail address would then be:

test20@exploit-<YOUR-EXPLOIT-SERVER-ID>.exploit-server.net

We now configure the Burp Repeater so that we send the requests in the ‘RC-4’ tab group to the application one after the other via separate connections. To do this, we click on the down arrow next to the ‘Send’ button.

There we select the option ‘Send group in sequence (separate connections)’.

The ‘Send’ button should now look like this:

We now send the tab group by clicking on the ‘Send group (separate connections)’ button and switch to our e-mail client.

If you need more information about sending requests via separate connections, you can find it in the Burp Suite documentation.

In the e-mail client, we can see that we have received a confirmation e-mail for each new e-mail address.

Probe for clues

Now we switch back to Burp Repeater and change the way the requests are to be sent to parallel sending. Further information on parallel sending can be found in the Burp Suite documentation.

We now send the tab group with the option ‘Send group in parallel (single-packet attack)’. After sending, we switch to our email client and analyse the received confirmation emails. We notice that there are differences between the recipients of the mail and the tokens sent. For example, the user test4 receives the token from the user test1.

Let us now consider that there may be a time window in which the website is called up, triggering a task that ultimately sends an email to the specified address. Data is retrieved from the database and used to render the email template. If a parallel request during this time window changes the pending email address stored in the database, this will result in confirmation emails being sent to the wrong address.

Prove the concept

We now switch to the Burp Repeater and remove all but two tabs from the group.

In the first enquiry we change the email address to:

anything@exploit-<YOUR-EXPLOIT-SERVER-ID>.exploit-server.net

In the second enquiry we change the email address to:

carlos@ginandjuice.shop

We now send these requests in parallel by clicking on the ‘Send group in parallel (single-packet attack)’ button. We then switch to our e-mail client and check the received confirmation e-mail. If the body of the mail contains the address anything@exploit-<YOUR-EXPLOIT-SERVER-ID>.exploit-server.net, we switch to the Burp Repeater and start the attack again.

If the address carlos@ginandjuice.shop is present in the body of the mail, then we click on the link ‘Click here to confirm’.

We then receive the message ‘Your email has been successfully updated’ and now switch to our account by clicking on the link ‘My account’. We have successfully changed the email address to carlos@ginandjuice.shop and now have access to the ‘Admin panel’. We now click on this link.

The aim of this exercise is to delete the user carlos. We now do this by clicking on the ‘Delete’ link next to the user name carlos.

The exercise was successfully completed.

Video solution

PreviousLab: Multi endpoint race conditionsNextLab: Partial construction race conditions

Last updated