Final race-condition-in-the-web

•

2 likes•1,903 views

Xchym Hiệp

Technology

Race Condition Attacks in Web Applications

gamma95[at]gmail[dot].com

About me

$g4mm4 === $gamma95
● Penetration tester
● Bugs hunter
● Full time Internet Troll

About the talk

● What is race condition?
● Race conditions in the web applications
● Prevention
● Demo
● References
● Q&A

What is race condition?

● A race condition or race hazard is a type of
flaw in an electronic or software system where
the output is dependent on the sequence or
timing of other uncontrollable events
● Race conditions can occur in electronics
systems, especially logic circuits, and in
computer software, especially multithreaded or
distributed programs.

in Electronics
● ∆t1 and ∆t2
represent the
propagation delays
of the logic
elements.

● When the input
value (A) changes,
the circuit outputs
a short spike of
duration (∆t1+∆t2)
- ∆t2 = ∆t1

In Computer Software (file system, networking ...)

System V Semaphore
PHP is compiled with --enable-sysvsem

LFI with phpinfo()
● What is LFI?
Local File Inclusion (also known as LFI) is the process of including
files on a server through the web browser. This vulnerability occurs
when a page include is not properly sanitized, and allows directory
traversal characters to be injected

LFI with phpinfo()
● Why PHPInfo()?
The output of the PHPInfo() script contains the values of the
PHP Variables, including any values set via _GET, _POST or
uploaded _FILES.

References

● Practical Race Condition Vulnerabilities in
Web Applications
https://defuse.ca/race-conditions-in-web-applications.htm

● "LFI with phpinfo() assistance"
http://www.insomniasec.com/publications/LFI With PHPInfo Assistance.pdf

● Nghệ thuật tận dụng lỗi phần mềm
http://bluemoon.com.vn/books/8935048992197.html

Similar to Final race-condition-in-the-web

CanSecWest (1)

Abhishek Singh

Near real-time anomaly detection at Lyft

markgrover

D3 Troubleshooting

Rocket Software

Unix Web servers and FireWall

webhostingguy

Unix Web servers and FireWall

webhostingguy

104 Common network devices

SsendiSamuel

Business applications have to be available, performant and functioning. Full stop. Even with thousands of infrastructure monitoring checks, you won’t be able to even begin to monitor the end-user’s perspective. The fact is: you monitor your IT, but you can only hope that your services will work. Time to change that. Time to use a framework. Time to use Robot Framework. My presentation will show you the demand for End2End-Monitoring and why Robot Framework is an excellent choice for automated application tests. You will also get to know Robotmk, the link between Robot Framework and Checkmk. It dovetails both tools extremely closely and gives your infrastructure monitoring a holistic approach. It is used by companies of diverse branches, as well as by authorities and governments. And once you have discovered the KubernetesLibrary, DataDriver, RequestsLibrary and all the many more libraries, you will not want to put Robot Framework down again. But that’s another story…

OSMC 2021 | Robotmk: You don’t run IT – you deliver services!

NETWAYS

Marton Balassi – Stateful Stream Processing

Flink Forward

Abstractions for managed stream processing platform (Arya Ketan - Flipkart)

KafkaZone

Crushing Latency with Vert.x

Paulo Lopes

Computer Archeticture

mahmoud

Java Profiling

zeroproductionincidents

AktaionPPTv5_JZedits

Rod Soto

DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...

Felipe Prado

In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation. I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!

Hacker Halted 2014 - Post-Exploitation After Having Remote Access

EC-Council

DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)

Alejandro Hernández

Kernel Recipes 2018 - Mitigating Spectre and Meltdown (and L1TF) - David Wood...

Anne Nicolas

A trial investigation system for vulnerability on M2M network

Mocke Tech

Nowadays, M2M networks are growing up more and more, and many devices are active in M2M networks. Various devices are existing. It means many vulnerabilities existing in M2M networks. And it’s difficult to directly investigate those vulnerabilities because almost investigation system can’t play like those devices to not know the behavior of devices. The investigation system using Man-in-the-Middle proposed in this paper will make efforts to decrease theose vulnerabilities.

A Trial Investigation System for Vulnerability on M2M Network

Kiyotaka Atsumi

The progress in the industrial automation, automotive, biomedical and avionic sectors requires the use of safety network protocols that in some cases have to satisfy real time constrains. In this talk we will discuss about facing the major issues of the network, which tools to use to test and analyze the protocol and we will understand the usefulness of integrating PTP and PRP modules in our communication.

Alessio Lama - Development and testing of a safety network protocol

linuxlab_conf

Similar to Final race-condition-in-the-web (20)

CanSecWest (1)

Near real-time anomaly detection at Lyft

D3 Troubleshooting

Unix Web servers and FireWall

104 Common network devices

OSMC 2021 | Robotmk: You don’t run IT – you deliver services!

Marton Balassi – Stateful Stream Processing

Abstractions for managed stream processing platform (Arya Ketan - Flipkart)

Crushing Latency with Vert.x

Computer Archeticture

Java Profiling

AktaionPPTv5_JZedits

DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...

Hacker Halted 2014 - Post-Exploitation After Having Remote Access

DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)

Kernel Recipes 2018 - Mitigating Spectre and Meltdown (and L1TF) - David Wood...

A trial investigation system for vulnerability on M2M network

A Trial Investigation System for Vulnerability on M2M Network

Alessio Lama - Development and testing of a safety network protocol

Recently uploaded

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Bhuvaneswari Subramani

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Exploring Multimodal Embeddings with Milvus

Zilliz

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Six Myths about Ontologies: The Basics of Formal Ontology

johnbeverley2021

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Understanding the FAA Part 107 License ..

Christopher Logan Kennedy

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Zilliz

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Corporate and higher education May webinar.pptx

Exploring Multimodal Embeddings with Milvus

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

presentation ICT roal in 21st century education

Six Myths about Ontologies: The Basics of Formal Ontology

CNIC Information System with Pakdata Cf In Pakistan

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Why Teams call analytics are critical to your entire business

MINDCTI Revenue Release Quarter One 2024

Understanding the FAA Part 107 License ..

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

FWD Group - Insurer Innovation Award 2024

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Final race-condition-in-the-web

2. Race Condition Attacks in Web Applications gamma95[at]gmail[dot].com

3. Breaking news

4. About me

5. About me $g4mm4 === $gamma95 ● Penetration tester ● Bugs hunter ● Full time Internet Troll

6. About the talk ● What is race condition? ● Race conditions in the web applications ● Prevention ● Demo ● References ● Q&A

7. What is race condition? ● A race condition or race hazard is a type of flaw in an electronic or software system where the output is dependent on the sequence or timing of other uncontrollable events ● Race conditions can occur in electronics systems, especially logic circuits, and in computer software, especially multithreaded or distributed programs.

8. in Electronics ● ∆t1 and ∆t2 represent the propagation delays of the logic elements. ● When the input value (A) changes, the circuit outputs a short spike of duration (∆t1+∆t2) - ∆t2 = ∆t1

9. In Computer Software (file system, networking ...)

10. in Web Applications: Hit Counter

11. in Web Applications: Hit Counter

12. Tell me why?

13. Tell me why?

14.

15. in Web Applications: Online Banking

16. in Web Applications: Online Banking

17. D3m0

18. Prevention

19. Semaphore

20. System V Semaphore PHP is compiled with --enable-sysvsem

21. LFI with phpinfo() ● What is LFI? Local File Inclusion (also known as LFI) is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected

22. LFI with phpinfo() ● Why PHPInfo()? The output of the PHPInfo() script contains the values of the PHP Variables, including any values set via _GET, _POST or uploaded _FILES.

23. How to win the race ?

24. D3m0

25. References ● Practical Race Condition Vulnerabilities in Web Applications https://defuse.ca/race-conditions-in-web-applications.htm ● "LFI with phpinfo() assistance" http://www.insomniasec.com/publications/LFI With PHPInfo Assistance.pdf ● Nghệ thuật tận dụng lỗi phần mềm http://bluemoon.com.vn/books/8935048992197.html

26. Questions?

27. That's all folks!

Final race-condition-in-the-web

Recommended

Recommended

More Related Content

Similar to Final race-condition-in-the-web

Similar to Final race-condition-in-the-web (20)

Recently uploaded

Recently uploaded (20)

Final race-condition-in-the-web