Second Order Race Condition

Hi everyone , I have found this bug on a public program on h1 some times back.

The website is having a registration process in which you have to fill your phone number to be able to register.

After providing phone number, email, username & details , you have to verify the phone number by giving 6 digit OTP code for successful verification.

After providing 6 digit OTP ,and verifying the captcha service and then hit register and intercepted this request.

So i just intercepted this POST Register request in burp and then started playing with this request’s parameters.

So what i tried is basically using this single “OTP Verified & Captcha verified” request to register multiple accounts with just different usernames.

I send this POST request to turbo intruder and then just manipulated parameters with injection point as -

username- abc123%s , email- abc123%s@gmail[dot]com

Then used the turbo intruder’s default race.py script with injections points customisation according to number of parameters.

Then just Attack this request .

Then in the status code of the Turbo Intruder, i have got 3 requests as “302”, which basically means i have created 3 different accounts by using “Single OTP verification and single Captcha Verification”.

Timeline

25th Nov 2019 Submitted the report

25th Nov 2019 Triaged , marked it as High

28th Nov 2019 $1,000 Bounty