Labs Covered

This write-up focuses on the following APPRENTICE-level lab from the PortSwigger Web Security Academy:

1 Limit overrun race conditions

This lab demonstrates how attackers can exploit a race condition to exceed server-imposed limits by sending multiple simultaneous requests before the limit is properly enforced.

---

LAB 1 - Limit overrun race conditions

Lab Description

Race Conditions Overview

A race condition is a flaw that produces an unexpected result when the timing of actions impacts other actions. This typically occurs in multithreaded applications where operations act concurrently on shared data.

Race conditions are difficult to test for due to their timing-dependent nature. The critical period during which a collision may occur is called the race window — often lasting just milliseconds.

⚠️ Note: The Race Conditions lab requires Burp Suite 2023.9 or a later version.

---

Exploiting Race Conditions

Limit Overrun Race Conditions

The most common race condition allows users to exceed application-imposed limits, such as single-use promo codes or transaction limits.

For example, an online store might perform the following steps when applying a discount code:

1. Check if the code has already been used.
2. Apply the discount.
3. Mark the code as used in the database.

If you later attempt to reuse this code, the initial checks performed at the start of the process should prevent you from doing this:

Now consider what would happen if a user who has never applied this discount code before tried to apply it twice at almost exactly the same time:

---

Exploiting Race Conditions Using Burp Repeater

Steps:

1. Identify a single-use or rate-limited endpoint with useful functionality (e.g., discounts, reward redemptions, password resets).
2. Send multiple concurrent requests to the endpoint as close in time as possible to attempt to exploit the race window.

---

Challenges:

The main challenge is timing. You must hit the race window precisely — a tiny overlap in milliseconds is enough.

Even perfectly-timed requests may be processed in unpredictable order due to factors like:

• Server load
• Network jitter
• Request queuing

---

Burp Suite 2023.9+: Parallel Requests

With Burp Suite 2023.9, Repeater now supports sending multiple requests in parallel, reducing the impact of timing inconsistencies.

Features:

• Parallel request groups: Fire off a batch of requests at once.
• Single-packet attacks: Send 20–30 requests in a single TCP packet to neutralize network jitter.

These features significantly improve your ability to detect and exploit race conditions, including advanced multi-step logic flaws.

Solution:

Lab Solution: Exploiting Race Condition for Coupon Discount

1. Login to the Application
   • Log in using the provided credentials: wiener:peter.

1. View Promo Code
   • After logging in, the page will display a promo code for a discount.

   

2. Add Item to Cart
   • Add an umbrella to the cart.

   

3. Apply Coupon
   • Apply the coupon to receive a 20% discount.

   

4. Test Coupon Restriction

   • Attempt to apply the coupon a second time; this will result in an error indicating the coupon can only be used once.

   • 

5. Send Coupon Request to Repeater
   • Intercept the coupon application request and send it to Burp Suite Repeater for analysis.

1. Apply Race Condition

   • Remove the coupon from the cart to reset its state for the race condition exploit.

   • 

2. Exploit Using Burp Intruder (Method 1)

   • Send the coupon request to Burp Intruder.

     

   • Configure Intruder to use null payloads (e.g., set to 30 payloads) to repeat the coupon request multiple times concurrently.

     

   • Run the attack; multiple requests will apply the coupon before the server marks it as used.

     

   • Refresh the cart page to confirm the discount exceeds 20%.

     

3. Exploit Using Parallel Requests (Method 2)

   • Add a leather jacket to the cart.

     

   • Apply the coupon to the leather jacket and intercept the request.
   • Remove the coupon to reset its state.

   

   • Send the request to Repeater and create a tab group.

   • Duplicate the coupon request 50 times in Repeater (use shortcut: Ctrl+R).

     

   • Send the tab group requests in parallel.

     

   • Refresh the cart page to confirm the discount is greater than 20%.

     

4. Place Order

   • With the increased discount applied, place the order for the leather jacket.

     

5. Lab Completion

   • The lab is solved once the leather jacket is successfully purchased with the discount.