Tags: web race
Rating: 5.0
# TL;DR
**Intended solution:** abuse the sleep in `/notes` to preserve the session while `/deleteme` deletes the user from the db (removing the user’s hash). Then, with the session kept from `/notes`, we have access to all the notes.
**Unintended solution:** using Turbo Intruder, race `/deleteme` and `/notes/flag` to delete our user’s hash while we have a valid session in `/notes/flag`, bypass `hasUserNoteAcess`, and get the flag.
Follow the link to see the full writeup.