OP mentioned the race condition vulnerability which seems to be the favorite vulnerability for hackers who are into this mainly for the money as it may allow them to edit their balance and withdraw more then they actually have. It will be interesting to read how it works in details!
Another common vulnerability you can find on many websites is not setting a limit on how many times you can enter a wrong password. This makes it easier for hackers to perform a brute force attack.
Another common vulnerability you can find on many websites is not setting a limit on how many times you can enter a wrong password. This makes it easier for hackers to perform a brute force attack.
Yes you are right, most website have no protection against brute force. But on our last scans, we found many of them leak real server ip behind cloudflare. Found sensitive login pages, like: cpanel ftp, ssh, admin panel, phpmyadmin, etc. Brute forcing on these can be more dangerous than users logins.