[Typical vulnerability sharing] multi-threaded synchronization problem leads to over program limitations

when it comes to money issues, multithreading synchronization issues must be focused on, if not handled improperly can cause unforeseen losses.

YSe-commerce coupon loophole allows a coupon to be used multiple times to generate order "high"

Problem Description:

users in the YS e-commerce can use the coupons we provide to purchase equipment, and get a certain amount of concessions, a coupon can only be used once, in the submission of the interface to generate orders need to bring the coupon number, The backend system automatically reduces the amount based on the coupon type and eventually generates an order, but the interface does not synchronize concurrently in the background, resulting in a coupon that can be used multiple times and eventually generate multiple orders for payment.

Test steps:

1. LoginYS MALL, select the device you want to purchaseCX(HereCXPrice is880, coupon offer is300RMB) and enter the shopping cart to submit the order:

2. Use the coupon in the order information, as shown in:

3. submit the order and intercept the order request, transfer toBurp Intruder, after setting the relevant parameters, initiate a quick request, you can see4a request was successfully processed:

4,   to the" My Orders "page, you can see the successful generation of 4 orders, and each order has successfully used the same coupon, as shown in:

5. View Background Coupon Usage Records also verify this,

problem Extension:

Theoretically, all interfaces are subject to such problems and may have unpredictable consequences for interfaces that involve sensitive business.

Solution Recommendations:

1. The processing code increases the synchronization lock to do concurrent synchronous processing.

[Typical vulnerability sharing] multi-threaded synchronization problem leads to over program limitations