Final race-condition-in-the-web

•

2 likes•1,903 views

Xchym Hiệp

Technology

Race Condition Attacks in Web Applications

gamma95[at]gmail[dot].com

About me

$g4mm4 === $gamma95
● Penetration tester
● Bugs hunter
● Full time Internet Troll

About the talk

● What is race condition?
● Race conditions in the web applications
● Prevention
● Demo
● References
● Q&A

What is race condition?

● A race condition or race hazard is a type of
flaw in an electronic or software system where
the output is dependent on the sequence or
timing of other uncontrollable events
● Race conditions can occur in electronics
systems, especially logic circuits, and in
computer software, especially multithreaded or
distributed programs.

in Electronics
● ∆t1 and ∆t2
represent the
propagation delays
of the logic
elements.

● When the input
value (A) changes,
the circuit outputs
a short spike of
duration (∆t1+∆t2)
- ∆t2 = ∆t1

In Computer Software (file system, networking ...)

System V Semaphore
PHP is compiled with --enable-sysvsem

LFI with phpinfo()
● What is LFI?
Local File Inclusion (also known as LFI) is the process of including
files on a server through the web browser. This vulnerability occurs
when a page include is not properly sanitized, and allows directory
traversal characters to be injected

LFI with phpinfo()
● Why PHPInfo()?
The output of the PHPInfo() script contains the values of the
PHP Variables, including any values set via _GET, _POST or
uploaded _FILES.

References

● Practical Race Condition Vulnerabilities in
Web Applications
https://defuse.ca/race-conditions-in-web-applications.htm

● "LFI with phpinfo() assistance"
http://www.insomniasec.com/publications/LFI With PHPInfo Assistance.pdf

● Nghệ thuật tận dụng lỗi phần mềm
http://bluemoon.com.vn/books/8935048992197.html

Similar to Final race-condition-in-the-web

CanSecWest (1)

Abhishek Singh

Near real-time anomaly detection at Lyft

markgrover

D3 Troubleshooting

Rocket Software

Unix Web servers and FireWall

webhostingguy

Unix Web servers and FireWall

webhostingguy

104 Common network devices

SsendiSamuel

Business applications have to be available, performant and functioning. Full stop. Even with thousands of infrastructure monitoring checks, you won’t be able to even begin to monitor the end-user’s perspective. The fact is: you monitor your IT, but you can only hope that your services will work. Time to change that. Time to use a framework. Time to use Robot Framework. My presentation will show you the demand for End2End-Monitoring and why Robot Framework is an excellent choice for automated application tests. You will also get to know Robotmk, the link between Robot Framework and Checkmk. It dovetails both tools extremely closely and gives your infrastructure monitoring a holistic approach. It is used by companies of diverse branches, as well as by authorities and governments. And once you have discovered the KubernetesLibrary, DataDriver, RequestsLibrary and all the many more libraries, you will not want to put Robot Framework down again. But that’s another story…

OSMC 2021 | Robotmk: You don’t run IT – you deliver services!

NETWAYS

Marton Balassi – Stateful Stream Processing

Flink Forward

Abstractions for managed stream processing platform (Arya Ketan - Flipkart)

KafkaZone

Crushing Latency with Vert.x

Paulo Lopes

Computer Archeticture

mahmoud

Java Profiling

zeroproductionincidents

AktaionPPTv5_JZedits

Rod Soto

DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...

Felipe Prado

In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation. I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!

Hacker Halted 2014 - Post-Exploitation After Having Remote Access

EC-Council

DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)

Alejandro Hernández

Kernel Recipes 2018 - Mitigating Spectre and Meltdown (and L1TF) - David Wood...

Anne Nicolas

A trial investigation system for vulnerability on M2M network

Mocke Tech

Nowadays, M2M networks are growing up more and more, and many devices are active in M2M networks. Various devices are existing. It means many vulnerabilities existing in M2M networks. And it’s difficult to directly investigate those vulnerabilities because almost investigation system can’t play like those devices to not know the behavior of devices. The investigation system using Man-in-the-Middle proposed in this paper will make efforts to decrease theose vulnerabilities.

A Trial Investigation System for Vulnerability on M2M Network

Kiyotaka Atsumi

The progress in the industrial automation, automotive, biomedical and avionic sectors requires the use of safety network protocols that in some cases have to satisfy real time constrains. In this talk we will discuss about facing the major issues of the network, which tools to use to test and analyze the protocol and we will understand the usefulness of integrating PTP and PRP modules in our communication.

Alessio Lama - Development and testing of a safety network protocol

linuxlab_conf

Similar to Final race-condition-in-the-web (20)

CanSecWest (1)

Near real-time anomaly detection at Lyft

D3 Troubleshooting

Unix Web servers and FireWall

104 Common network devices

OSMC 2021 | Robotmk: You don’t run IT – you deliver services!

Marton Balassi – Stateful Stream Processing

Abstractions for managed stream processing platform (Arya Ketan - Flipkart)

Crushing Latency with Vert.x

Computer Archeticture

Java Profiling

AktaionPPTv5_JZedits

DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...

Hacker Halted 2014 - Post-Exploitation After Having Remote Access

DotDotPwn Fuzzer - Black Hat 2011 (Arsenal)

Kernel Recipes 2018 - Mitigating Spectre and Meltdown (and L1TF) - David Wood...

A trial investigation system for vulnerability on M2M network

A Trial Investigation System for Vulnerability on M2M Network

Alessio Lama - Development and testing of a safety network protocol

Recently uploaded

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Architecting Cloud Native Applications

WSO2

The action of the next cyber saga takes place in the mystical lands of the Asia-Pacific region, where the main characters began their digital activities in the middle of 2021 and qualitatively strengthened it in 2022. Corporate espionage, document theft, audio recordings, and data leaks from messaging platforms were all a matter of one day for Dark Pink. Their geographical focus may have started in the Asia-Pacific region, but their ambitions knew no bounds, targeting a European government ministry in a bold move to expand their portfolio. Their victim profile was as diverse as a UN meeting, targeting military organizations, government agencies, and even a religious organization. Because discrimination is not a fashionable agenda. In the world of cybercrime, they serve as a reminder that sometimes the most serious threats come in the most unassuming packages with a pink bow.

Cyberprint. Dark Pink Apt Group [EN].pdf

Overkill Security

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

AXA XL - Insurer Innovation Award Americas 2024

The Digital Insurer

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

Recently uploaded (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Artificial Intelligence Chap.5 : Uncertainty

Architecting Cloud Native Applications

Cyberprint. Dark Pink Apt Group [EN].pdf

Exploring the Future Potential of AI-Enabled Smartphone Processors

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Ransomware_Q4_2023. The report. [EN].pdf

Strategies for Landing an Oracle DBA Job as a Fresher

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

AXA XL - Insurer Innovation Award Americas 2024

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

Final race-condition-in-the-web

2. Race Condition Attacks in Web Applications gamma95[at]gmail[dot].com

3. Breaking news

4. About me

5. About me $g4mm4 === $gamma95 ● Penetration tester ● Bugs hunter ● Full time Internet Troll

6. About the talk ● What is race condition? ● Race conditions in the web applications ● Prevention ● Demo ● References ● Q&A

7. What is race condition? ● A race condition or race hazard is a type of flaw in an electronic or software system where the output is dependent on the sequence or timing of other uncontrollable events ● Race conditions can occur in electronics systems, especially logic circuits, and in computer software, especially multithreaded or distributed programs.

8. in Electronics ● ∆t1 and ∆t2 represent the propagation delays of the logic elements. ● When the input value (A) changes, the circuit outputs a short spike of duration (∆t1+∆t2) - ∆t2 = ∆t1

9. In Computer Software (file system, networking ...)

10. in Web Applications: Hit Counter

11. in Web Applications: Hit Counter

12. Tell me why?

13. Tell me why?

14.

15. in Web Applications: Online Banking

16. in Web Applications: Online Banking

17. D3m0

18. Prevention

19. Semaphore

20. System V Semaphore PHP is compiled with --enable-sysvsem

21. LFI with phpinfo() ● What is LFI? Local File Inclusion (also known as LFI) is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected

22. LFI with phpinfo() ● Why PHPInfo()? The output of the PHPInfo() script contains the values of the PHP Variables, including any values set via _GET, _POST or uploaded _FILES.

23. How to win the race ?

24. D3m0

25. References ● Practical Race Condition Vulnerabilities in Web Applications https://defuse.ca/race-conditions-in-web-applications.htm ● "LFI with phpinfo() assistance" http://www.insomniasec.com/publications/LFI With PHPInfo Assistance.pdf ● Nghệ thuật tận dụng lỗi phần mềm http://bluemoon.com.vn/books/8935048992197.html

26. Questions?

27. That's all folks!

Final race-condition-in-the-web

Recommended

Recommended

More Related Content

Similar to Final race-condition-in-the-web

Similar to Final race-condition-in-the-web (20)

Recently uploaded

Recently uploaded (20)

Final race-condition-in-the-web