A race against time - How to exploit race conditions in web apps

Javan Rasokat

Abstract :

"From 2021 to 2022 we have seen an increase in race condition reports with huge bugbounty payouts affecting MS, AWS, Instagram and others, for example, leading to MFA-Bypass. According to MITRE it is still a big “research gap” and based on how easily race conditions are introduced into code and how difficult they are to detect, there are probably still a lot of vulnerable applications out there. This type of vulnerability allows an attacker to create unforeseen states as a result of overlapping and parallel program code sequences. By cleverly exploiting these conditions, advantages can be gained, such as bypassing anti-brute force mechanisms, overriding limits, overvoting, and other attack scenarios.

As part of this talk a developed penetration testing tool with a distributed approach and a demo web application that is vulnerable to this type of attack is being presented. With help of the demo application and the race condition testing tool real-world attack scenarios will be demonstrated. Also results of tested SAST/DAST tools will be given to show how difficult it is to prevent and also test for race condition vulnerabilities."

Speaker:  Javan Rasokat

Javan works as a senior application security specialist and supports software development teams in securing the software development life cycle. On the side, he teaches Secure Coding at DHBW University. He made his way into security through his keen interest in online gaming, where he soon began automating bots and reporting security vulnerabilities he found. He later turned his interests into his profession and became a security consultant.

He brings experience as a penetration tester and holds certifications such as CISSP, CCSP, CSSLP and GXPN, as well as a Master’s degree in Information Security Management.