Thankyou so much sir💝, that "Group send request" in repeater is new for me. And i gave a try on my target with same methodology & you know what....it works👯♀👯♀. Normal behaviour of application is "Only 1 person can hold the permission of Owner at a time" but with your trick i am able to bypass this and Reported it. Hope this Finding will become my First bounty achieving Report🙌🏼.
In this example, The local users were only supposed to create 3 dashboards and if they want to create more dashboard they either need to get the premium account or login as admin user. However, we were successfully able to bypass this restriction and able to create more than 3 dashboards so it is an access control issue. Now in real world, If an attacker is able to access premium feature without the need to get the subscription, it will be a financial loss for the organization. Hope you understand!
@BePracticalTech When I first came across this vulnerability I thought the same thing, that this is so simple yet no one talks about it and the challenge was about making payments, this race condition really is a overlooked vulnerability.
This lab here replicates the same vulnerability that i found on a pentest. Unfortunately, it is now very difficult to show vulnerabilities on real production website as it is against TH-cam Guidelines.
Thankyou so much sir💝, that "Group send request" in repeater is new for me. And i gave a try on my target with same methodology & you know what....it works👯♀👯♀.
Normal behaviour of application is "Only 1 person can hold the permission of Owner at a time" but with your trick i am able to bypass this and Reported it. Hope this Finding will become my First bounty achieving Report🙌🏼.
@@anshcybersec1953 I am really glad to hear it! Keep it up
Sir report accepted and got my first bounty by your video 🤗🙌 I'm So happy. Thankyou so much sir🤗❤️
As I'm a beginner in bug bounty, you have explained this excellent!
@@BibleOSINT Really happy that you liked it
@BePracticalTech would you recommend me as beginner in bounty to look for those vulnerabities?
@@BibleOSINT Definitely!
@@BePracticalTech Thank you! ❤️
I really like the way you teaching. Thanks you so much keep up the good work
@@Muby_Ajiwa Thank you for the humble words!
Huge respect to you, for the practical knowledge
I have been watching you for a long time, and you are really a great teacher
Glad to hear that!
Thank You bro loveit your way to explain BePractical : )
@@xitzhacks Glad you liked it!
what is the impact of creating multiple dashboards and how it effects to organizations and why they will pay $**** digits of bounty for this ??
In this example, The local users were only supposed to create 3 dashboards and if they want to create more dashboard they either need to get the premium account or login as admin user. However, we were successfully able to bypass this restriction and able to create more than 3 dashboards so it is an access control issue.
Now in real world, If an attacker is able to access premium feature without the need to get the subscription, it will be a financial loss for the organization. Hope you understand!
@@BePracticalTech You can also test under Current user limit: 5/5 to do a bypass with this current application: 6/5
Nice explanation! 👊🏽
I am really glad you liked it!
awesome! Really well-explained as well!!
Thank you kindly!
Thanks Faiyaz this great explanation !!!
Glad you liked it!
thank u so much sir for giving this use full video
I am really glad that you found this video helpful!
Brilliant!!!!!!!!!!! Thank you for sharing your great knowledge!!!!!!!
Glad you enjoyed it!
Great explanation!
Thank you!
Love from Nepal ❤❤
@@Unknown_feed Love from 🇮🇳
Amazing ❤
Excellent...Thanks for sharing
@@shivakumarmv4249 I am really glad you liked it!
Awesome Video😀Understood clearly
Glad it helped
Thanks ❤
Glad you liked it!
Thanks for give us this type really good challenge
My pleasure 😊
Thank you for the video I tried to enter the page to try the method, but it gives an error message. Error code 522 Connection timed out
@@i_am_your_king Try again please
Really sir this was the best video till now on race condition plz share me your linkedin❤
I am really glad you liked it! Here's my linkedin: www.linkedin.com/in/faiyaz-ahmad-64457520b/
Thanks bhai 🙂❤️
You're welcome!
what is the impact of this vulnerability ?
Thanks
No worries! Glad you liked it
Kya hal hai nice video :) good research and explanation bhai
Thanks a lot :)
Keep it up 🎉
Always
Can you provide Burp Pro version ?
I have tried to add tab group by pressing right click nothing happened tried in both community version and burp pro 1.7 version
Bro but what will be mitigation for this issue 😮
To fix this issue, we need to focus on handling concurrent request as well instead of handling everything synchronously
amazing
Glad you liked it!
Did you discover this from Advent of Cyber 2024? Cause just few days ago solved a challenge for the same vulnerability.
@@AvinavGupta-l8w Not really. I've found this exact vulnerability during a pentest
@BePracticalTech When I first came across this vulnerability I thought the same thing, that this is so simple yet no one talks about it and the challenge was about making payments, this race condition really is a overlooked vulnerability.
Please explain in practical webpage
This lab here replicates the same vulnerability that i found on a pentest. Unfortunately, it is now very difficult to show vulnerabilities on real production website as it is against TH-cam Guidelines.
How to prevent it
make a video on burp suite full potentail
Is it possible to see a real example?
Sure! Here you go: corneacristian.medium.com/top-25-race-condition-bug-bounty-reports-84f9073bf9e5
i wanna see this app source code
Here's the source code: github.com/faiyazahmad07/rcondition_bepractical_lab/
@ thx alot
@@BePracticalTech thx but this file cant find home.ejs and login.ejs pls upload all project file
i wanna try understand all structured
Please share that code
@@mohammadrezafarahani9287 Sure, Here you go: github.com/faiyazahmad07/rcondition_bepractical_lab/
Bro in this file just have one file so where is the home.ejs and login.ejs ?@@BePracticalTech
@@BePracticalTechdo you share login.ejs and home.ejs ?
Alright
Bro can you kindly just mention Race conditions in the title...thanks
❤❤❤❤❤
I got a blind ssrf with no impact anyone wants to collaborate
race condtion
First