Security vulnerabilities

Attached to Project: Security vulnerabilities
Opened by mohab4173 - 08.11.2024
Last edited by cbay - 09.11.2024

Summary: A race condition vulnerability was found, allowing users to bypass the product limit restriction and create multiple instances of a product that should be limited to only one per user.

Steps to Reproduce:

1-Open a New Account:
Go to "Open a New Account" and enter the required information.

2-Send Concurrent Requests:
Use a tool like Burp Suite or a script to send multiple requests at the same time.
Slightly change the product name in each request (e.g., "Product1," "Product2") to avoid immediate duplicates.

3-Verify:
Check the account to confirm multiple instances of the product were created.

Impact:

1-Resource Abuse: Users can consume excessive resources (e.g., storage or server space), impacting performance and increasing operational costs.

2-Account Abuse: Malicious users may create multiple products for spam, fraud, or denial-of-service (DoS) attacks.

3-System Integrity: This flaw undermines the system’s integrity by allowing unauthorized duplication of resources.

Recommended Fixes: Atomic Operations: Ensure product creation checks and actions happen as one atomic operation.
Database Constraints: Enforce unique limits in the database to block duplicate entries.
Synchronization: Use locking mechanisms to prevent concurrent request handling.