There are three challenges, all of them vulnerable to race conditions. You can try to exploit the race condition weaknesses with tools such as Raceocat.
RACE_WINDOW is 50 ms.
For this testing environment a artifically race window might be required because this application is created with a small sample data set. By increasing the RACE_WINDOW value you can simulate a slow webserver or a unperformant database and increase your chances. You can change or disable it by adding ?race_window=0 (in microseconds) as parameter.
You can withdraw only enough money so that your bank account is not in the negative. Your bank account can not overspend.
View bank account balance of accountID 1
View bank account balance of accountID 2
Action: Withdraw 500€ from accountID 1
You are only allowed to like a postingID once. Similar to a facebook post or a twitter feed.
View all the likes of postingID 1
Action: Like postingID 1 with userID 5
To slow down brute forcing attacks you are only allowed to login 5 times per 5 minutes.
View login log for [email protected]
Action: Try to login using 0022 as 2FA code
Action: Try to login using 0012 as 2FA code
PHP version: 8.3.28
MySql version: 10.6.22-MariaDB-0ubuntu0.22.04.1
Executed SQL queries:
#1 - 0.7 ms - "SELECT *
FROM logins
WHERE email = '[email protected]'
AND UNIX_TIMESTAMP(`timestamp`) >= UNIX_TIMESTAMP()-300"
#2 - 0.4 ms - "SELECT userID
FROM user
WHERE email = '[email protected]'
AND code = 12 LIMIT 0,1"
#3 - 0.7 ms - "INSERT INTO logins (email, code, success) VALUES ('[email protected]', '12', '0')"
#4 - 0.6 ms - "SELECT *
FROM logins
WHERE email = '[email protected]'
AND UNIX_TIMESTAMP(timestamp) >= UNIX_TIMESTAMP()-300
ORDER BY timestamp DESC
LIMIT 0,20"