Limit Overrun Race Conditions in Web App Penetration Testing | 2023

The most well-known type of race condition enables you to exceed some kind of limit imposed by the business logic of the application | Karthikeyan Nagaraj

Limit overrun race conditions

The most well-known type of race condition enables you to exceed some kind of limit imposed by the business logic of the application.

For example, consider an online store that lets you enter a promotional code during checkout to get a one-time discount on your order. To apply this discount, the application may perform the following high-level steps:

1. Check that you haven’t already used this code.
2. Apply the discount to the order total.
3. Update the record in the database to reflect the fact that you’ve now used this code.

If you later attempt to reuse this code, the initial checks performed at the start of the process should prevent you from doing this: