From 2021 to 2022 we have seen an increase in race condition reports with huge bugbounty payouts affecting MS, AWS, Instagram and others, for example, leading to MFA-Bypass. According to MITRE it is still a big “research gap” and based on how easily race conditions are introduced into code and how difficult they are to detect, there are probably still a lot of vulnerable applications out there. This type of vulnerability allows an attacker to create unforeseen states as a result of overlapping and parallel program code sequences. By cleverly exploiting these conditions, advantages can be gained, such as bypassing anti-brute force mechanisms, overriding limits, overvoting, and other attack scenarios. As part of this talk a developed penetration testing tool with a distributed approach and a demo web application that is vulnerable to this type of attack is being presented. With help of the demo application and the race condition testing tool real-world attack scenarios will be demonstrated. Also results of tested SAST/DAST tools will be given to show how difficult it is to prevent and also test for race condition vulnerabilities.

1. A race against time.
How to exploit race conditions in web apps.
JAVAN RASOKAT

2. whoami
Javan Rasokat
◦ Senior Application Security Specialist at Sage
◦ Ex-Pentester
◦ Lecturer for Secure Coding at DHBW University
◦ M. Sc. IT Security Management at Aalen University
(Germany), GIAC GXPN, CISSP, CCSP, CSSLP, CEH
◦ Open Source Projects - github.com/JavanXD
◦ You can find me at @javanrasokat
2

3. Agenda
◦ Theory
What are Race Conditions?
Examples
Vulnerable PHP code snippet
◦ Vulnerable web app
Attack scenarios
Secure-SDLC practices
◦ Attack tool
Current attack tool landscape
Proposed architecture
Research results
◦ Live Demo
◦ Conclusion
3

4. Theory

5. Race Condition – What?
„A race condition is a flaw that produces an unexpected result when the timing of actions
impact other actions.
An example may be seen on a multithreaded application where actions are being performed
on the same data.
Race conditions, by their very nature, are difficult to test for.” OWASP [Fou09b]
„Research Gap” MITRE [Cor06a]
5

6. Race Condition – Again, what?
Multiple threads access shared code, variables, or data simultaneously.
[Pan16]
6

7. 7
EKOPARTY
Knock Knock
Race Condition!
Race Condition!
Race Condition!
Who is there?

8. Why do I need to care?
For any actions on your application that may only be allowed to be performed in limited
numbers.
o Bypassing anti-brute force mechanisms (e.g., login mechanism).
o Overdrawing limits (e.g., bank account).
o Multiple voting (e.g., online surveys).
o Multiple execution of transfers.
o Generation and redemption of coupon or discount codes.
o Anti-cross-site request forgery (CSRF) tokens.
There are plenty of other scenarios…
8

9. Examples
[Mut21b][Osp21]
9

10. Examples
[Mut21b][Osp21]
10

11. Can you spot the race condition? (PHP)
o similar, vulnerable code samples can be found in the official PHP-Docs [Ras21]
o several processes could access the resource 'credit' at the same time
11
△t = race window [ms]

12. How to fix the race condition?
1. Lock before line 2 and unlock after line 6
No other thread can access or tamper the values
2. Append the condition to the UPDATE: ‘AND credit=$row[‘credit’]’
You just don’t update the column ‘credit’ if it got tampered
3. Use a ‘SELECT FOR UPDATE’ statement if possible
If the queries can be merged into one single query (not always possible)
There are more techniques (especially for PHP)
12
△t = race window [ms]

13. Vulnerable web app

14. 3 attack scenarios
… inspired by real world examples
Challenge 1
Bank transfer /
withdraw money
CVSS Base Score:
6.5 (Medium)
Challenge 2
Vote submission /
"Like" Indication
CVSS Base Score:
6.5 (Medium)
Challenge 3
Login using 2-factor
authentication
CVSS Base Score:
7.5 (High)
14

15. Try it by your own
Default MariaDB + PHP Configuration
Docker Compose template
GitHub: JavanXD/Raceocat/
15

16. Can we detect or prevent Race Conditions?
Do any of our Secure-SDLC practices help?
I tried hard….
• WAF, RASP, SAST, DAST
Conclusion:
• Race condition vulnerabilities go undetected
and are exploited despite the deployed in-
depth measures.
16

17. Attack tool

18. Current attack tool landscape
rc-exploit (2015), Race-the-Web (2016), RacePWN (2017), Sakurity Racer (2017),
Burp Turbo Intruder
Two types of sending parallel requests
o Parallel
§ Each HTTP-Request in its own connection
§ Often last Byte of the HTTP chunk is sent delayed (“Last Byte-Sync”) [LB17]
o Pipeline
§ Glue multiple HTTP-Requests into one TCP frame/connection
curl
o Instead of chaining multiple curl requests (curl & curl & curl…)
o You can use –parallel/-z and –next flag which got introduced in 2019 with v 7.68.0 [Ste19]
18

19. Proposed attack tool architecture
19
[Ras21]

20. Research
20
[Ras21]
Origin and Timestamp of HTTP-Requests Time Distribution and Origin of HTTP-Requests
Seconds Point of time of entries (grouped to 50ms interval) [s]
Amount
of
entries
The ”better” indicator of success: time window in the code
Test case: 1.92ms average elapse between processed requests.

21. How to increase my chances?
Two goals
• Increase reproducibility and detectability: The race window is in the code and therefore you need
a very short processing time
• Increase gain: Higher number of requests within the race window
Increase the chance of successful exploitation, by…
• Bypass Rate Limits or increase number of allowed requests by using multiple IP addresses
• If the target app is using a load balancer with sticky sessions you are in control which load
balancer to attack, or you could choose to attack different server pools at the same time
• Use a datacenter for sending the parallel requests for best performance
• Decrease distance between target and attacking server
Additional techniques
• Slowing down the target with application-DoS techniques (e.g., target long database queries)
• Monitor the target, select a “busy” timeframe e.g., heavily user times
21

22. Demo time!

23. Demo

24. OWASP ZAP Integration
24
Generate the API-Command,
which then can be used for manual testing
but also for your e2e security tests.

25. Conclusion

26. Conclusion
◦ Testing needs a good understanding of your business logic
Sometimes the only way to find them… is a pentest
Secure-SDLC practices (SAST, DAST) have not proved to be helpful
Perform reviews with focus on concurrent architectures
◦ Improve discoverability
Spread awareness, include it in your pentesting and bugbounty scope
Change your bugbounty policy to explicitly allow testing for race
conditions, as DoS is often excluded
Integrate tests in your e2e security tests
◦ Still as mentioned by MITRE a “research gap” [Cor06a]
◦ Use a distributed attack architecture for exploitation
Find the proposed tool on GitHub: github.com/JavanXD/Raceocat/
It’s a race against time and not a race against number of request per
second
26

27. References
◦ [Cor06a] MITRE Corporation. CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization
(’Race Condition’). MITRE, CWE-ID CWE- 362. July 2006. url: https://cwe.mitre.org/data/definitions/362.html
◦ [Fou09b] OWASP Foundation. Testing for Race Conditions (OWASP-AT-010). 2009. url:
https://www.owasp.org/index.php/Testing_for_Race_Conditions_(OWASP-AT-010)
◦ [Hna17b] Aaron Hnatiw. „Racing The Web - Slides“. In: Hackfest, June 2017. url:
https://www.slideshare.net/AaronHnatiw/racing-the-web-hackfest-2016
◦ [LB17] Anton Lopanitsyn und Michail Badin. RacePWN (Race Condition Frame- work). 2017. url:
https://github.com/racepwn/racepwn#readme
◦ [Mut21b] Laxman Muthiyah. How I Might Have Hacked Any Microsoft Account. March 2021. url:
https://thezerohack.com/how-i-might-have-hacked-any-microsoft-account
◦ [Osp21] Tobias Ospelt. Password reset code brute-force vulnerability in AWS Cognito. Pentagrid. April 2021. url:
https://www.pentagrid.ch/en/blog/password-reset-code-brute-force-vulnerability-in-AWS-Cognito/
◦ [Pan16] Sarvesh Pandey. Testing Race Conditions in Web Applications. June 2016. url:
https://www.mcafee.com/blogs/technical-how-to/testing-race-conditions-web-applications/
◦ [Ras21] Javan Rasokat. Master thesis "Race Conditions in Webanwendungen”. August 2021. url: https://opus-htw-
aalen.bsz-bw.de/frontdoor/deliver/index/docId/1327/file/Rasokat-Race_Conditions_in_Webanwendungen.pdf
◦ [Ste19] Daniel Stenberg. curl goez parallel. July 2019. url: https://daniel.haxx.se/blog/2019/07/22/curl-goez-parallel/
27

28. 28
THANKS! GRACIAS!
You can find me at
@javanrasokat
linkedin.com/in/javan-rasokat/