AppSecExplained
  • Index < START HERE
    • My courses
    • How to get started from zero
  • 📽️Live Stream Content
    • Resource of the week
  • Discovery / Recon
    • Methodology
    • Content discovery / recon
      • Subdomains
      • Endpoints
      • Parameters
      • Spidering
  • Common vulns
    • SQL injection overview
      • Detection
      • Blind SQLi
      • Second-order SQLi
      • SQLi lab setup & writeups
    • NoSQL injection
    • JavaScript injection (XSS)
      • XSS Methodology
    • File Inclusion
      • Local file inclusion
        • Directory traversal
    • Command injection
    • XXE (XML external entity) injection
      • Blind XXE
    • Template injection
      • Server-side template injection
      • Client-side template injection
    • Authentication
      • Attacking password-based authentication
      • Attacking MFA
      • Authentication lab setup & writeups
    • Cross-Site Request Forgery (CSRF)
    • Insecure deserialization
      • PHP
      • Java
      • Python
      • .NET
    • Server-side request forgery (SSRF)
    • Insecure file upload
    • Clickjacking
    • Open redirect
    • Vulnerable components
    • Race conditions
      • Limit overrun
    • Prototype pollution
      • Client-side prototype pollution
    • APIs
      • API: BOLA
      • API: Broken authentication
      • BOPLA
      • API: BFLA
  • Bypassing controls
    • Rate limiting
    • WAF Bypasses
  • Scripts
    • Docker-compose.yml files
      • Wordpress
      • SQLi testing labs
    • PHP scripts
      • RCE Function Check
    • Wordlists
      • Single characters
      • SQLi
  • Code review
    • Getting started
    • Sinks
  • Links worth your time
    • Practical API Hacking
    • Rana Khalil's Web Security Academy Course
    • Portswigger's Web Security Academy
    • TCM Security Discord
    • PentesterLand Writeups
Powered by GitBook
On this page
  • Limit overrun
  • Other learning resources:
  • Writeups:
  • Checklist:

Was this helpful?

  1. Common vulns
  2. Race conditions

Limit overrun

PreviousRace conditionsNextPrototype pollution

Last updated 1 year ago

Was this helpful?

Limit overrun

Limit overrun race conditions are a type of race condition in web applications, where an attacker exploits the timing of actions to surpass predefined restrictions. This vulnerability occurs when multiple requests are processed simultaneously, potentially bypassing application limits or altering application state in unintended ways.

A simple example:

  • A vulnerable webapp uses coupons that can be applied once to a cart before checkout.

  • There is a small time delay between when the coupon is checked to be valid, and when it becomes invalid.

  • An attacker could exploit this by sending multiple requests simultaneously so that they are deemed valid until the coupon becomes invalid.

Typical targets might include:

  • Redeeming coupons multiple times

  • Transferring funds in excess of the account balance

  • Rating a product multiple times

Other learning resources:

Writeups:

Checklist:

PortSwigger's Web Security Academy:

https://portswigger.net/web-security/race-conditions
https://hackerone.com/reports/759247
Using the same voucher multiple times within the race window.