BugForge - Daily - Cafe Club (Repeat)
BugForge - Daily - Cafe Club (Repeat)
Daily - Cafe Club (Repeat)
This is a repeat of the daily challenge from January 25th, 2026.
Vulnerability Overview
The Cafe Club application contains a TOCTOU (Time-of-Check Time-of-Use) race condition in the checkout flow. The cart is read twice without synchronization - once for price calculation and again for order fulfillment. By sending parallel requests (checkout + multiple add-to-cart) using Burp Suite’s “Send in parallel” feature, items can be injected between these reads. The result is receiving unpaid items because the price is calculated before the additional items are added, but fulfillment uses the modified cart state.
Key Issues:
- The checkout process reads cart state at two separate points without atomic transaction processing
- No database-level locking is applied to cart records during checkout
- Concurrent add-to-cart requests can modify the cart between price verification and order fulfillment
Vulnerabilities Covered
- Race Condition / Time-of-Check Time-of-Use (TOCTOU)
Classification
- OWASP Top 10: A04:2021 - Insecure Design
- Vulnerability Type: Race Condition / Time-of-Check Time-of-Use (TOCTOU)
- Attack Surface: E-commerce checkout and cart management API endpoints
- CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)
This post is licensed under CC BY 4.0 by the author.