Exploiting Race Condition using Turbo Intruder is a critical technique in web application security. A race condition occurs when multiple threads or processes access shared resources concurrently, leading to unpredictable outcomes. In this blog, we demonstrate how to exploit this vulnerability using the Turbo Intruder extension in Burp Suite.

Table of Contents

• Key features
• Testing on a vulnerable application
• Application’s intended behaviour
• Application’s unintended behaviour
• About the vulnerability
• Conclusion

Key features

Following are the key features of the Race Condition:

• Concurrent Access: Race conditions occur when multiple processes or threads access shared resources simultaneously in a web application. These shared resources could include database records, files, or variables stored in memory, among other crucial components.
• Unpredictable Behaviour: Because of the asynchronous and parallel nature of web applications, the timing and sequence of concurrent operations can differ. As a result, this can lead to unpredictable behavior, where the outcome of an operation is affected by factors such as request timing, system load, or network latency.

Testing on a vulnerable application

To demonstrate the Race Condition, we will be using a vulnerable application and try to perform the intended application logic without any concurrent requests and then will try to perform the unintended action using multiple concurrent requests. The vulnerable application can be downloaded from here: https://github.com/projectdiscovery/php-app-race-condition

Application’s intended behaviour

The application’s intended logic is that the user can withdraw money from the account and the balance amount will be shown to the user. Initially the total amount is $10,000.

As per the application logic if a user withdraws $10, 80 times the leftover amount in the account should be $10,000 – ($10*80) = $9200.

This process can also be seen through the outcome of Burp Intruder by setting the concurrent requests to 1 and withdrawing the amount 80 times.

Application’s unintended behaviour

The application’s unintended behaviour becomes evident after users send multiple concurrent requests using the Turbo Intruder extension. You can download the Turbo Intruder extension inside Burp Suite from the Bapp Store.

Once you install the extension, you can forward the target request to the Turbo Intruder extension.

Inside Turbo Intruder, we use the race-single-packet-attack.py default script; however, we modify the configuration according to our needs. We perform the same action of withdrawing $10 eighty times, but this time we set the concurrent requests to 15 and configure the engine as Engine.BURP.

After configuration is complete, click on Attack to start the attack. Observe that after 80 requests the amount which is left in the account is $9600 which is more than the desired amount.

About the vulnerability

At first glance, it might seem unexpected that a web application developed in PHP, a language without native multi-threading support, could be vulnerable to race condition attacks. Nevertheless, these attacks can indeed occur. This exploit becomes feasible because web servers like Apache handle queries asynchronously. In such cases, if two requests arrive almost simultaneously, the server may execute them concurrently on a multi-core CPU or interleave them using the operating system’s CPU time-sharing mechanism. Consequently, instead of the expected $9980 balance after processing both requests, the balance changes to $9990. This discrepancy arises because the server processes the second request while the first one is still underway. Although both withdrawals function correctly and result in a total deduction of $20, the system subtracts only $10 from the balance.

Conclusion

In conclusion, race conditions pose a significant risk to the security and reliability of web applications. Hence, comprehensive testing and robust coding practices are imperative for effectively mitigating these vulnerabilities. The above scenario is shown keeping the concurrent requests as 1 in the Burp Intruder, since the application is of small size and lesser functionalities. In real life testing, Exploiting Race Condition using Turbo Intruder can prove to be a very valuable approach, as the extension provides flexibility in configuring and launching race condition attacks effectively.

Author: Vinayak Chauhan is an InfoSec researcher and Security Consultant. Contact here

Related posts:

Burp Suite for Pentester: Repeater Burp Suite for Pentester: Logger++