€300 just by bug race condition
Disclaimer: This article is purely for educational purposes. All bugs have been reported through responsible disclosure.
Hello bug hunters! It’s been a long time since I wrote, lately I’ve been busy like most young people hahaha, by the way This time I want to tell you about one of the interesting bugs that I managed to find on one of the famous online platforms. This bug involves a race condition that allows free users to bypass the premium workspace limit. Let’s discuss it together!
What happened?
In short, there is a weakness in the workspace creation validation system where the limit check is done after the data has been entered into the database. This creates a time gap that can be exploited by sending multiple requests simultaneously. The result? Free users can have more workspace than they should.
Background Story
So the story is I was just having fun exploring the workspace features on this platform. This platform has a freemium business model — free users are limited to a maximum of 5 workspaces, while premium users can have unlimited.
At first I was just curious, “How does their system handle this validation limit?” Turns out… something was odd 🤔
Technical Deep Dive 🛠️
Root Cause Analysis
The problem lies in improper flow validation:
1. User sends a request to create a workspace
2. ❌ The data goes directly to the database first
3. ❌ Then it is checked whether the user has exceeded the limit
4. ❌ If it exceeds, it will throw an error (but the data has already been entered!)Which should:
1. User sends a request to create a workspace
2. ✅ Check first whether the user has exceeded the limit
3. ✅ If not, then enter the data into the database
4. ✅ Return success responseThe Attack Vector
Using Burp Suite, I can send multiple requests in parallel at the same time. This takes advantage of the time window between database insertion and validation check.
Step-by-Step Exploitation 🎯
Setup:
1.Login with a free account that already has 5workspaces (maximum limit)
2.Navigate to the workspace creation page
3.Intercept requests with Burp Suite
The Magic Happens Here:
1.Capture POST requests to the workspace creation endpoint
2.Send to Repeater and duplicate to 12 tabs
3.Group all tabs and set “Send group in parallel”
4.Fire all requests simultaneously with last-byte synchronization
Result:
- All responses show “403 Forbidden” with the message “User doesn’t have premium subscription”
- BUT when checking in the UI, it turns out the workspace counter has increased to 17! 🎉
- and I can use the workspace without having to buy the freemium package
Why This Works? 🤯
Race conditions occur because:
1.Database Transaction Speed: Insert operations are faster than validation checks
2.Concurrent Processing: Multiple requests are processed simultaneously before validation logic is triggered
3.Validation Timing: Checks are performed after data commitment, not before
A simple analogy: It’s like a queue to enter a concert. Tickets should be checked before entering, but this system checks tickets after people have already sat down. If many people enter together, the ticket checker is overwhelmed and some people can get through without valid tickets.
Final Thoughts 💭
Race conditions may sound technical and complex, but they are all about timing and sequence. With the right tools and a curious mindset, vulnerabilities like these can be found.
you can learn it here:
Don’t forget to always follow my write ups and I will continue to share my findings based on my real personal experience.
Keep hunting, stay ethical, and don’t forget to always make responsible disclosure! 🚀
Happy hunting, and may the bugs be with you! 🐛
