Access the room: https://tryhackme.com/room/race-conditions-aoc2025-d7f0g3h6j9
.png)
The Best Festival Company (TBFC) has launched its limited-edition SleighToy, with only ten pieces available at midnight. Within seconds, thousands rushed to buy one, but something strange happened. More than ten lucky customers received confirmation emails stating that their orders were successful. Confusion spread fast. How could everyone have bought the “last” toy? McSkidy was called in to investigate.
She quickly noticed that multiple buyers purchased at the exact moment, slipping through the system’s timing flaw. Sir Carrotbane’s mischievous Bandit Bunnies had found a way to exploit this chaos, flooding the checkout with rapid clicks. By morning, TBFC faced angry shoppers, missing stock, and a mystery that revealed just how dangerous a few milliseconds could be during the holiday rush.
Learning Objectives
- Understand what race conditions are and how they can affect web applications.
- Learn how to identify and exploit race conditions in web requests.
- How concurrent requests can manipulate stock or transaction values.
- Explore simple mitigation techniques to prevent race condition vulnerabilities.
What is a Race Condition?
A race condition occurs when two or more actions happen at the same time, and the system’s outcome depends on the order in which they finish. In web applications, this often happens when multiple users or automated requests simultaneously access or modify shared resources, such as inventory or account balances. Without proper synchronization, this can lead to unexpected results, such as duplicate transactions, oversold items, or unauthorized data changes.
Types of Race Conditions
- Time-of-Check to Time-of-Use (TOCTOU): A TOCTOU race condition happens when a program checks something first and uses it later, but the data changes in between. For example, two users buy the same “last item” at the same time because the stock was checked before it was updated.
- Shared Resource: This occurs when multiple users or systems try to change the same data simultaneously without proper control. Both updates happen together, and the final result depends on which one finishes last, creating confusion.
- Atomicity Violation: An atomic operation should happen all at once, either fully done or not at all. When parts of a process run separately, another request can sneak in between and cause inconsistent results.
Practical Steps and Analysis
Initial Setup
Start the target machine and the AttackBox as instructed to access the lab environment.
Step 1: Environment Setup
Configure Firefox: Set up Firefox to route traffic through Burp Suite. Click the FoxyProxy icon and select the Burp profile.
Launch Burp Suite: Start Burp Suite and configure it to intercept and forward requests. Ensure “Intercept” is turned off in the Proxy tab to allow requests to pass through normally.
Here we will use the Proxy and Repeater option to exploit the race condition.
Step 2: Making a Legitimate Request
Login: Open Firefox and visit the webapp at http://MACHINE_IP.
Enter the credentials:
username: attacker
password: attacker@123
Add to Cart: Click “Add to Cart” for the “SleighToy Limited Edition”.
Checkout: Proceed to the checkout page and click “Confirm & Pay” to complete the purchase. You should see a success message confirming the order.
Here we don’t have to write anything, just confirm and pay
Click view orders
On our orders page, we have the original order along with the initiated order ID.
Step 3: Exploiting the Race Condition
Capturing the Request: In Burp Suite, navigate to the Proxy tab and find the POST request to the /process_checkout endpoint.
Right-click the request and select “Send to Repeater” to copy it into the Repeater tool
Create a Tab Group: In the Repeater tab, create a tab group named “cart”.
Right-click the request tab, choose “Add tab to group,” then select “Create tab group” and name it “cart”.
Duplicate the Request: Right-click the request tab and select “Duplicate tab”. Create 15 copies of the request (Choose a number where the amount of product exceeds the current stock in their inventory)
Send Requests in Parallel: Select “Send group in parallel (last-byte sync)” to maximize the timing overlap and trigger the race condition.
Observe the Results: Visit the web app and observe multiple confirmed orders and the SleighToy stock reduced (possibly going negative).
We successfully triggered the race condition to place multiple orders even when there was no stock, causing the stock count to go negative.
Hurray, we got our first flag! THM{WINNER_OF_R@CE007}
Mitigation
The attacker logged in and made a normal purchase of the limited SleighToy. Using Burp Suite, he captured the checkout request and sent it multiple times in parallel. Because the app didn’t handle simultaneous checkouts correctly, each request succeeded before the stock could update. This allowed the attacker to buy more toys than available, resulting in a race condition and pushing the stock into negative values. Here are a few mitigation measures to avoid the vulnerability:
- Use atomic database transactions so stock deduction and order creation execute as a single, consistent operation.
- Perform a final stock validation right before committing the transaction to prevent overselling.
- Implement idempotency keys for checkout requests to ensure duplicates aren’t processed multiple times.
- Apply rate limiting or concurrency controls to block rapid, repeated checkout attempts from the same user or session.
Step 4: Exploiting the Race Condition for “Bunny Plush”
Follow the same steps to exploit the race condition for the Bunny Plush (Blue) and identify the flag value.
Close the Previous tab group in the Repeater
Create a new tab group for the current /process_checkout page and name it “Cart”
Now let's duplicate the tab 10 times
Select “Send group in parallel (last-byte sync)” to maximize the timing overlap and trigger the race condition.
Visit the web app and observe multiple confirmed orders
We successfully triggered the race condition to place multiple orders for the Bunny Plush and we got our last flag!
THM{WINNER_OF_Bunny_R@ce}
Answers of the THM Lab
What is the flag value once the stocks are negative for SleighToy Limited Edition?
THM{WINNER_OF_R@CE007}.
— — — — — — — — — — — —
Repeat the same steps as were done for ordering the SleighToy Limited Edition. What is the flag value once the stocks are negative for Bunny Plush (Blue)?
THM{WINNER_OF_Bunny_R@ce}