Race Conditions
Race Conditions¶
Smashing the state machine: the true potential of web race conditions
Note
Use Turbo Intruder for Race Condition testing
HTTP 1.1¶
Last Byte Sync: Since web servers wait for the last packet to be received before processing you withhold the last packet until you have the second request ready to finish.
HTTP 2¶
Timeless Timing attack:
Limit Overrun¶
Basic Race Condition Vulnerabilities
Defense¶
- Locking database/session transactions
- Batching Requests