ZeroNights 2018 | Race Condition Tool
•
0 likes•289 views
The document discusses RCE Tool, a security tool for finding race conditions in web applications. It describes sending HTTP requests in parallel or sequentially, configuring delays between requests, and advantages like using a C library. Future plans include parsing HTTP responses, supporting HTTP/2, and allowing multiple transactions in a single race. The tool aims to find race conditions but currently lacks many features. It is open source and available on GitHub.
More Related Content
Similar to ZeroNights 2018 | Race Condition Tool
Similar to ZeroNights 2018 | Race Condition Tool (14)
More from Дмитрий Бумов
More from Дмитрий Бумов (20)
Recently uploaded
Recently uploaded (20)
ZeroNights 2018 | Race Condition Tool
- 1. RCE TOOL Security researches and your mother ❤
- 2. Thx Vlad Roskov! • CTFing since 2009 • Racing since 2013
- 5. if ( user.money >= 150) { user.add ( item ) user.money = user.money - 150 } else { warning("I'm sorry, u have no money!") } - u have $150? - ofc! $200 User1 - ok, let’s go! Web application
- 6. if ( user.money >= 150) { user.add ( item ) user.money = user.money - 150 } else { warning("I'm sorry, u have no money!") } - thx $200 User1 - this is 4 u Web application
- 7. if ( user.money >= 150) { user.add ( item ) user.money = user.money - 150 } else { warning("I'm sorry, u have no money!") } - give me my money! - ok! $200-150 User1 Web application
- 8. if ( user.money >= 150) { user.add ( item ) user.money = user.money - 150 } else { warning("I'm sorry, u have no money!") } - give me my money! - ok! $50 User1 +$150 Web application
- 9. -Knock, knock -Race Conditon! -Race Conditon! -Race Conditon! -Who's there?
- 10. if ( user.money >= 150) { user.add ( item ) user.money = user.money - 150 } else { warning("I'm sorry, u have no money!") } - u have $150?- ofc! - ofc! - ofc! - ofc! $200 - ok, let’s go! Web application User1
- 11. if ( user.money >= 150) { user.add ( item ) user.money = user.money - 150 } else { warning("I'm sorry, u have no money!") } - thx - thx - thx - thx $200 - this is 4 u User1 Web application
- 12. if ( user.money >= 150) { user.add ( item ) user.money = user.money - 150 } else { warning("I'm sorry, u have no money!") } - give me my money! - ok! $200 -150 -150 -150 -150 Web application User1
- 13. User 1: • Have 4 items • Have -400 dollars -$400 User1
- 14. Race condition & web applications
- 15. Simple practice
- 16. • HTTP/1.0 style • One session Simple practice
- 17. Parallel mode: Create one connection for each request. It is possible to hold the sending of the last N bytes for a while. Sequential mode: All requests in one tcp frame. There is a limit to the length (65536 bytes, but actually a little less). Work in 2 mode:
- 18. Delay between parts of requests
- 19. racepwn Advantages Sending requests implemented on C! (librace) You can use this librace anywhere And we wrote utility (which can run as a console application, and start as a webapp) fck
- 20. racepwn Disadvantages not enough parsing http responses, no support for http 2, http-auth, well, a lot of things! but we are not upset! (we will develop) fck
- 21. Config Example [{ "race" : { "type" : "paralell", "delay_time_usec" : 10000, "last_chunk_size" : 1 }, "raw": { "host": "tcp://localhost:8080", "ssl": false, "race_param": [{ "data": "GET / HTTP/1.1rnHost: example.comrnrn", "count": 100 }] } }, ]
- 23. TODO Future plan! • parsing http responses • http2 ! • support for multiple transactions on the same race • plugin for burp (but it is not exact)
- 24. How to fix