“Racing the Web” – Presented at Hackfest 2016 by Aaron Hnatiw, Security Consultant from Security Compass

Racing the Web

Long thought to be relegated to the domain of fast, multithreaded desktop applications, race conditions are a well known issue in software development, and they often result in program crashes and poor usability. Most instances of race conditions can be difficult to test, as they may only occur in one in one thousand uses, and under very specific conditions. Due to this fact, it can be rare that these bugs manifest themselves with any regularity. But what happens when a race condition exists in an application that accepts thousands of concurrent connections? Suddenly the likelihood of unintended behaviour increases exponentially, and the consequences can be devastating.

In a web application, user sessions are often treated the same as desktop user sessions- a user is expected to perform a single task at a time, while the server processes the information and performs the indented functionality for that user. But what would happen if a user tried to perform the same task hundreds or thousands of times simultaneously? If the proper checks and defensive measures are not in place, databases get confused, “one-time-use” becomes a relative term, and “limited” becomes “unlimited”.

The focus of this talk is the security implications of this exact scenario, detailing specific examples where malicious users could cause damage or profit from a race-condition flaw in a web application. A custom open-source tool will also be introduced to help security researchers and developers easily check for this class of vulnerability in web applications.

Video link: https://youtu.be/4T99v957I0o


Aaron Hnatiw is a Security Consultant for Security Compass, and a professor of Application Security at Georgian College. Prior to that, he was the founder of Inspectral Security, a company that provided customised red team services to medium-sized businesses across a wide range of industries. Aaron’s background has covered most areas of IT- he is a former system administrator, web and desktop developer, and network security engineer, and his current role involves pentesting and advisory work in both application and network security. In his free time, Aaron writes open-source security tools in the Go programming language, and participates in the occasional CTF from his home in Ontario, Canada.


About Security Compass
Security Compass, a leading provider of cybersecurity solutions, enables organizations to shift left and build secure applications by design, integrated directly with existing DevSecOps tools and workflows. Its flagship product, SD Elements, allows organizations to balance the need to accelerate software time-to-market while managing risk by automating significant portions of proactive manual processes for security and compliance. SD Elements is the world’s first Balanced Development Automation platform. Security Compass is the trusted solution provider to leading financial and technology organizations, the U.S. Department of Defense, government agencies, and renowned global brands across multiple industries. The company is headquartered in Toronto, with offices in the U.S. and India. For more information, please visit https://www.securitycompass.com/