Published On: 29 May 2020
Race condition in registering for the event seats/ attendance
Other
Facebook | Web
---
LOW INFORMATIVEDescription
When creating a public event in a page there is an option to limit the number of spaces available. In normal scenario the registration won't exceed this limit. But an attacker can exploit a race condition vulnerability in the registration request and buy any number of spots as he wish
Impact
This would allow attacker to register for more than allotted seats/spots. This may cause space issues. Event creator may have reserved items/resources for conducting the event.
Reproduction Steps
Step
1
Users: User A page creator, User B, User C ,User D attackers
Environment: A page P with an event E created inside. The event will have Admission spot count is set to 1. Event creator expecting only one member would be able to register for the event.
Step
2
Attacker who controls 3 profiles B,C,D navigates the the event E of the page P.
Step
3
There will be a register button for the attacker to register for the event. In normal case only on person will be able to register as per settings by the event creator
Step
4
Attacker sends the register requests from the accounts B, C, D which are opened in different browsers and intercept is on in the burp suite
Step
5
All the requests are captured by the intercept of burpsuite and attacker turn off the burp suite which will then send the 3 requests simultaneously which will result in bypassing the spot count which is limited to one number.
NOTE: Please configure burp suite to only capture the registration requests which have an endpoint of /ajax/event/confirmed_going/submit/?event_id=[EventID] in this case