Second Order Race Condition

Hi everyone , I have found this bug on a public program on h1 some times back.

The website is having a registration process in which you have to fill your phone number to be able to register.

After providing phone number, email, username & details , you have to verify the phone number by giving 6 digit OTP code for successful verification.

After providing 6 digit OTP ,and verifying the captcha service and then hit register and intercepted this request.

So i just intercepted this POST Register request in burp and then started playing with this request’s parameters.

So what i tried is basically using this single “OTP Verified & Captcha verified” request to register multiple accounts with just different usernames.

I send this POST request to turbo intruder and then just manipulated parameters with injection point as -

username- abc123%s , email- abc123%s@gmail[dot]com

Then used the turbo intruder’s default script with injections points customisation according to number of parameters.

Then just Attack this request .

Then in the status code of the Turbo Intruder, i have got 3 requests as “302”, which basically means i have created 3 different accounts by using “Single OTP verification and single Captcha Verification”.


25th Nov 2019 Submitted the report

25th Nov 2019 Triaged , marked it as High

28th Nov 2019 $1,000 Bounty



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store