How a Single Endpoint Race Condition Allowed Admin Access via Email Update.
Press enter or click to view image in full size
Table of Contents
Summary of the Vulnerability
A single-endpoint race condition occurs when multiple requests sent to the same HTTP endpoint are processed concurrently without proper synchronization on the server side.
In this lab, the vulnerability exists in the email change functionality, where the server allows multiple simultaneous requests to update the account email address. The application does not correctly lock the account state during the update process, creating a race window where different email values can be submitted at nearly the same time.
The key condition that makes this exploitable is the presence of a pending administrator invitation for the email address [email protected]. The system automatically grants admin privileges to any account that successfully registers or claims this email address. Because the email change operation is not atomic, an attacker can send parallel requests attempting to update their email to the target address, increasing the chance that one of the requests…