Vulnerable Web App

There are three challenges, all of them vulnerable to race conditions. You can try to exploit the race condition weaknesses with tools such as Raceocat.

RACE_WINDOW is 50 ms.
For this testing environment a artifically race window might be required because this application is created with a small sample data set. By increasing the RACE_WINDOW value you can simulate a slow webserver or a unperformant database and increase your chances. You can change or disable it by adding ?race_window=0 (in microseconds) as parameter.

Challenge 1: Bank account withdraw

You can withdraw only enough money so that your bank account is not in the negative. Your bank account can not overspend.

View bank account balance of accountID 1
View bank account balance of accountID 2
Action: Withdraw 500€ from accountID 1

Challenge 2: Multiple poll votes

You are only allowed to like a postingID once. Similar to a facebook post or a twitter feed.

View all the likes of postingID 1
Action: Like postingID 1 with userID 5

Challenge 3: Brute force 2FA code

To slow down brute forcing attacks you are only allowed to login 5 times per 5 minutes.

View login log for [email protected]
Action: Try to login using 0022 as 2FA code
Action: Try to login using 0012 as 2FA code

Debug info

PHP version: 8.3.17
MySql version: 10.6.18-MariaDB-0ubuntu0.22.04.1

Processed in: 1.9 ms