Weakness: Race condition
- While testing one of the application, they have functionality to create team and invite user’s to team .
- they have free limit of inviting 5 user’s to team.If you want to invite more user’s , they will ask you to upgrade you’r plan to pro.
- Request while adding member to our team.
POST /account/work/team/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept-Encoding: gzip, deflate, br
- Sending the Request to Burp Intruder By Adding Email List to emails= Parameter.
- Setting Minimum Thread Speed(10–15) and Start Attack.
- Increasing Threading to ~10 will send 10 request’s at the same time. this will generate a type confusion which bypassed their team limit.