Race Condition Attacks in Web Applications             gamma95[at]gmail[dot].com
Breaking news
About me
About me     $g4mm4 === $gamma95 ●   Penetration tester ●   Bugs hunter ●   Full time Internet Troll
About the talk●   What is race condition?●   Race conditions in the web applications●   Prevention●   Demo●   References● ...
What is race condition?●   A race condition or race hazard is a type of    flaw in an electronic or software system where ...
in Electronics●   ∆t1 and ∆t2    represent the    propagation delays    of the logic    elements.●   When the input    val...
In Computer Software (file system, networking ...)
in Web Applications: Hit Counter
in Web Applications: Hit Counter
Tell me why?
Tell me why?
in Web Applications: Online Banking
in Web Applications: Online Banking
D3m0
Prevention
Semaphore
System V Semaphore PHP is compiled with --enable-sysvsem
LFI with phpinfo()●   What is LFI?    Local File Inclusion (also known as LFI) is the process of including    files on a s...
LFI with phpinfo()●   Why PHPInfo()?      The output of the PHPInfo() script contains the values of the      PHP Variables...
How to win the race ?
D3m0
References●   Practical Race Condition Vulnerabilities in    Web Applications      https://defuse.ca/race-conditions-in-we...
Questions?
Thats all folks!
Final race-condition-in-the-web
Final race-condition-in-the-web
Upcoming SlideShare
Loading in …5
×

Final race-condition-in-the-web

1,745 views

Published on

Published in: Technology
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total views
1,745
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
40
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Final race-condition-in-the-web

  1. 1. Race Condition Attacks in Web Applications gamma95[at]gmail[dot].com
  2. 2. Breaking news
  3. 3. About me
  4. 4. About me $g4mm4 === $gamma95 ● Penetration tester ● Bugs hunter ● Full time Internet Troll
  5. 5. About the talk● What is race condition?● Race conditions in the web applications● Prevention● Demo● References● Q&A
  6. 6. What is race condition?● A race condition or race hazard is a type of flaw in an electronic or software system where the output is dependent on the sequence or timing of other uncontrollable events● Race conditions can occur in electronics systems, especially logic circuits, and in computer software, especially multithreaded or distributed programs.
  7. 7. in Electronics● ∆t1 and ∆t2 represent the propagation delays of the logic elements.● When the input value (A) changes, the circuit outputs a short spike of duration (∆t1+∆t2) - ∆t2 = ∆t1
  8. 8. In Computer Software (file system, networking ...)
  9. 9. in Web Applications: Hit Counter
  10. 10. in Web Applications: Hit Counter
  11. 11. Tell me why?
  12. 12. Tell me why?
  13. 13. in Web Applications: Online Banking
  14. 14. in Web Applications: Online Banking
  15. 15. D3m0
  16. 16. Prevention
  17. 17. Semaphore
  18. 18. System V Semaphore PHP is compiled with --enable-sysvsem
  19. 19. LFI with phpinfo()● What is LFI? Local File Inclusion (also known as LFI) is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected
  20. 20. LFI with phpinfo()● Why PHPInfo()? The output of the PHPInfo() script contains the values of the PHP Variables, including any values set via _GET, _POST or uploaded _FILES.
  21. 21. How to win the race ?
  22. 22. D3m0
  23. 23. References● Practical Race Condition Vulnerabilities in Web Applications https://defuse.ca/race-conditions-in-web-applications.htm● "LFI with phpinfo() assistance" http://www.insomniasec.com/publications/LFI With PHPInfo Assistance.pdf● Nghệ thuật tận dụng lỗi phần mềm http://bluemoon.com.vn/books/8935048992197.html
  24. 24. Questions?
  25. 25. Thats all folks!

×