CyberHackathon'23

The web security challenge was vulnerable to race condition. The following was the given website. The following were the user details with IDs and funds. the /dump path has a comment, which reveals the source code. The following part of the code was vulnerable to Race Condition. A race window exists in the if condition. We can send multiple request parallelly, it will bypass the if condition before the deduction of funds....

A pcap file was being given for analysis. The pcap file was being opened in the wireshark. I applied the http filter to filter only http requests. There was a zip file that was retrieved through http protocol. There was nothing interesting in this zip file. I moved on, and i found that many requests were being made to the /f_data/data endpoint. All the requests were giving 403 forbidden response except the last one, which gave 200 OK response....