OWASP 2022 Global AppSec San Francisco has ended
Global AppSec San Francisco returns November 14-18.

Designed for private and public sector infosec professionals, the two-day OWASP conferences equip developers, defenders, and advocates to build a more secure web. We are offering educational 1-day, 2-day, and 3-day training courses on November 14-16.

Join us for leading application security technologies, speakers, prospects, and the community, in a unique event that will build on everything you already know to expect from an OWASP Global Conference.
Back To Schedule
Friday, November 18 • 10:30am - 11:30am
Exploiting race conditions in web applications

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
This talk deals with ‘race conditions’ in web applications. From 2021 to 2022 we have seen an increase in race condition reports with huge bugbounty payouts affecting MS, AWS, Instagram and others, for example, leading to MFA-Bypass. According to MITRE it is still a big "research gap" and based on how easily race conditions are introduced into code and how difficult they are to detect, there are probably still a lot of vulnerable applications out there. This type of vulnerability allows an attacker to create unforeseen states as a result of overlapping and parallel program code sequences. By cleverly exploiting these conditions, advantages can be gained, such as bypassing anti-brute force mechanisms, overriding limits, overvoting, and other attack scenarios. As part of this talk a developed penetration testing tool with a distributed approach and a demo web application that is vulnerable to this type of attack is being presented. With help of the demo application and the developed race condition testing tool real-world attack scenarios will be demonstrated. Also results of tested SAST/DAST tools will be given to show how difficult it is to prevent and also test for race condition vulnerabilities.  

The learning objects are:
1. Introduction to the Race Condition and TOCTOU vulnerabilities, how they work and why exploiting them can be attractive to an attacker, how little is known about them and perhaps too often overlooked in penetration testing.
2. How easily the vulnerability exists in various web programming languages. And in which frameworks the vulnerabilities exist by default (example of a vulnerable PHP code snippet with race condition - "would you find it in a code review?").
3. Why our existing toolset consisting of DAST/SAST!/RASP/WAF etc. has difficulty preventing or detecting these vulnerabilities, and why it is necessary to look for race condition vulnerabilities as part of a penetration test.
4. Actual and impressive attack scenarios from bugbounty reports have been implemented in a vulnerable demo application and will be attacked during a live demo. The audience with the mindset of a breaker will learn how to test for race conditions during penetration testing.

avatar for Javan Rasokat

Javan Rasokat

Senior Application Security Specialist, Sage
Javan works as a Senior Application Security Specialist at Sage and supports software development teams in securing the software development life cycle. On the side, he teaches Secure Coding at DHBW University. Javan made his way into security through his keen interest in online gaming... Read More →

Friday November 18, 2022 10:30am - 11:30am PST
Seacliff AB