This repo contains a PHP Race Condition POC that simulates a vulnerability seen in Starbucks gift cards in 2015.
- install Docker.
- Ensure that you're running the docker container in a multi-cpu or multi-threaded enviroment (Docker uses all available resources by default).
Note* May not work on M1 Mac or other ARM-based OSes. If you find a solution, please feel free to submit a PR!
- Run
git clone https://github.com/SeanRobertDH/PHP-Race-Condition-POC
. - Run Docker.
- in the cloned directory with the
docker-compose.yml
file, run the commanddocker-compose up
. - The vulnerable web server is now running on
localhost:6969
. - There should be '2 gift cards with $500 each'. Your goal is to increase the sum of their values to be more than $1000.
- Race The Web
- Burpsuite (Turbo Intruder Extension)
- Open a seperate terminal also in the directory with the
docker-compose.yml
file and run the commanddocker-compose down -v
.