Racing the Web
Long thought to be relegated to the domain of fast, multithreaded desktop applications, race conditions are a well known issue in software development, and they often result in program crashes and poor usability. Most instances of race conditions can be difficult to test, as they may only occur in one in one thousand uses, and under very specific conditions. Due to this fact, it can be rare that these bugs manifest themselves with any regularity. But what happens when a race condition exists in an application that accepts thousands of concurrent connections? Suddenly the likelihood of unintended behaviour increases exponentially, and the consequences can be devastating.
In a web application, user sessions are often treated the same as desktop user sessions- a user is expected to perform a single task at a time, while the server processes the information and performs the indented functionality for that user. But what would happen if a user tried to perform the same task hundreds or thousands of times simultaneously? If the proper checks and defensive measures are not in place, databases get confused, “one-time-use” becomes a relative term, and “limited” becomes “unlimited”.
The focus of this talk is the security implications of this exact scenario, detailing specific examples where malicious users could cause damage or profit from a race-condition flaw in a web application. A custom open-source tool will also be introduced to help security researchers and developers easily check for this class of vulnerability in web applications.
Video link: https://youtu.be/4T99v957I0o
Aaron Hnatiw is a Security Consultant for Security Compass, and a professor of Application Security at Georgian College. Prior to that, he was the founder of Inspectral Security, a company that provided customised red team services to medium-sized businesses across a wide range of industries. Aaron’s background has covered most areas of IT- he is a former system administrator, web and desktop developer, and network security engineer, and his current role involves pentesting and advisory work in both application and network security. In his free time, Aaron writes open-source security tools in the Go programming language, and participates in the occasional CTF from his home in Ontario, Canada.