Limit overrun

Limit overrun

Limit overrun race conditions are a type of race condition in web applications, where an attacker exploits the timing of actions to surpass predefined restrictions. This vulnerability occurs when multiple requests are processed simultaneously, potentially bypassing application limits or altering application state in unintended ways.

A simple example:

• A vulnerable webapp uses coupons that can be applied once to a cart before checkout.

• There is a small time delay between when the coupon is checked to be valid, and when it becomes invalid.

• An attacker could exploit this by sending multiple requests simultaneously so that they are deemed valid until the coupon becomes invalid.

Using the same voucher multiple times within the race window.

Typical targets might include:

• Redeeming coupons multiple times

• Transferring funds in excess of the account balance

• Rating a product multiple times

Other learning resources:

• PortSwigger's Web Security Academy: https://portswigger.net/web-security/race-conditions

Writeups:

• https://hackerone.com/reports/759247

Checklist:

• Identify potentially vulnerable endpoints:

  • Impacts security

  • Collision potential