بسم الله الرحمن الرحيم
Welcome back everyone! I am Omar Islam, known as Zodiac0x. I'm excited to share how I found a Race Condition in the like function. So let's dive in!
Identifying the Issue
While digging into the application, I tried many different things like Privilege Escalation, Broken Authentication, and SQL Injection, but none of them worked. Then, once I saw the Like Function, I quickly decided to test for a race condition
Steps to Reproduce
- Upload a photo once uploaded.
- Open the intercept and click on the like button.
- After capturing the request for the like, send it to the repeater and duplicate the request like 20 or 30 times.
- Then, send them all as a single packet attack.
and BOOOM!!!
Impact
This was a High vulnerability because the application was focusing on creating images and videos , and rating this images / videos
But Unfortunately it closed as Duplicated -> means someone found it also
The learned lesson
Focus on the vulnerabilities that could impact the business for the company.