- The Guide to Finding and Reporting Web Vulnerabilities
- About the Author
- About the Tech Reviewer
- Foreword
- Introduction
- Who This Book Is For
- What Is In This Book
- Happy Hacking!
- 1 Picking a Bug Bounty Program
- 2 Sustaining Your Success
- 3 How the Internet Works
- 4 Environmental Setup and Traffic Interception
- 5 Web Hacking Reconnaissance
- 6 Cross-Site Scripting
- 7 Open Redirects
- 8 Clickjacking
- 9 Cross-Site Request Forgery
- 10 Insecure Direct Object References
- 11 SQL Injection
- 12 Race Conditions
- 13 Server-Side Request Forgery
- 14 Insecure Deserialization
- 15 XML External Entity
- 16 Template Injection
- 17 Application Logic Errors and Broken Access Control
- 18 Remote Code Execution
- 19 Same-Origin Policy Vulnerabilities
- 20 Single-Sign-On Security Issues
- 21 Information Disclosure
- 22 Conducting Code Reviews
- 23 Hacking Android Apps
- 24 API Hacking
- 25 Automatic Vulnerability Discovery Using Fuzzers
Hunting for Race Conditions
Hunting for race conditions is simple. But often it involves an element of luck. By following these steps, you can make sure that you maximize your chances of success.
寻找竞态条件很简单。但通常涉及一定程度的运气。通过遵循以下步骤,您可以确保最大限度地提高成功的机会。
Step 1: Find Features Prone to Race Conditions
Attackers use race conditions to subvert access controls. In theory, any application whose sensitive actions rely on access-control mechanisms could be vulnerable.
攻击者使用竞态条件来破坏访问控制。理论上,任何依赖访问控制机制的敏感操作的应用程序都可能存在漏洞。
Most of the time, race conditions occur in features that deal with numbers, such as online voting, online gaming scores, bank transfers, e-commerce payments, and gift card balances. Look for these features in an application and take note of the request involved in updating these numbers.
大多数时间,竞态条件发生在涉及数字的特性中,比如在线投票、在线游戏得分、银行转账、电子商务支付和礼品卡余额等。在应用程序中寻找这些特性,并注意与更新这些数字有关的请求。
For example, let’s say that, in your proxy, you’ve spotted the request used to transfer money from your banking site. You should copy this request to use for testing. In Burp Suite, you can copy a request by right-clicking it and selecting Copy as curl command .
例如,假设在您的代理中,您已经发现了用于从银行网站转账的请求。您应该复制此请求以供测试使用。在 Burp Suite 中,您可以通过右键单击请求并选择“复制为 curl 命令”来复制请求。
Step 2: Send Simultaneous Requests
You can then test for and exploit race conditions in the target by sending multiple requests to the server simultaneously.
可以同时向服务器发送多个请求,从而测试和利用目标中的竞态条件。
For example, if you have $3,000 in your bank account and want to see if you can transfer more money than you have, you can simultaneously send multiple requests for transfer to the server via the curl command. If you’ve copied the command from Burp, you can simply paste the command into your terminal multiple times and insert a & character between each one. In the Linux terminal, the & character is used to execute multiple commands simultaneously in the background:
例如,如果您在银行帐户中有 3,000 美元,并想查看是否可以转移比您拥有的资金更多的资金,则可以通过 curl 命令向服务器同时发送多个转移请求。如果您已从 Burp 复制了命令,则可以将命令简单粘贴到终端中多次,并在每个命令之间插入&字符。在 Linux 终端中,&字符用于同时在后台执行多个命令。
curl (transfer $3000) & curl (transfer $3000) & curl (transfer $3000)
& curl (transfer $3000) & curl (transfer $3000) & curl (transfer $3000)Be sure to test for operations that should be allowed once, but not multiple times! For example, if you have a bank account balance of $3,000, testing to transfer $5,000 is pointless, because no single request would be allowed. But testing a transfer of $10 multiple times is also pointless, since you should be able to do that even without a race condition. The key is to test the application’s limits by executing operations that should not be repeatable.
一定要测试那些仅应允许执行一次而非多次的操作。例如,如果你的银行账户余额为 3000 美元,测试转账 5000 美元是无意义的,因为没有单个请求能够被允许。但是,多次测试转账 10 美元也是无意义的,因为即使没有竞争条件,你也应该能够这样做。关键在于通过执行不应该可重复进行的操作来测试应用程序的极限。
Step 3: Check the Results
Check if your attack has succeeded. In our example, if your destination account ends up with more than a $3,000 addition after the simultaneous requests, your attack has succeeded, and you can determine that a race condition exists on the transfer balance endpoint.
检查您的攻击是否成功。在我们的示例中,如果您的目标帐户在同时请求之后增加了超过$3,000,那么您的攻击已成功,您可以确定在传输余额终点存在竞争条件。
Note that whether your attack succeeds depends on the server’s process-scheduling algorithm, which is a matter of luck. However, the more requests you send within a short time frame, the more likely your attack will succeed. Also, many tests for race conditions won’t succeed the first time, so it’s a good idea to try a few more times before giving up.
请注意,您的攻击是否成功取决于服务器的进程调度算法,这是一种运气。然而,在短时间内发送更多请求,攻击成功的可能性就越大。另外,许多竞态条件测试第一次可能不会成功,因此建议在放弃之前尝试几次。
Step 4: Create a Proof of Concept
Once you have found a race condition, you will need to provide proof of the vulnerability in your report. The best way to do this is to lay out the steps needed to exploit the vulnerability. For example, you can lay out the exploitation steps like so:
一旦您发现了竞争条件,您需要在报告中提供漏洞的证明。最好的方法是列出利用漏洞所需的步骤。例如,您可以像这样列出利用步骤:
- Create an account with a $3,000 balance and another one with zero balance. The account with $3,000 will be the source account for our transfers, and the one with zero balance will be the destination.
- Execute this command:
curl (transfer $3000) & curl (transfer $3000) & curl (transfer $3000) & curl (transfer $3000) & curl (transfer $3000) & curl (transfer $3000)This will attempt to transfer $3,000 to another account multiple times simultaneously.
这将尝试同时多次将 $3,000 转移到另一个帐户。
- You should see more than $3,000 in the destination account. Reverse the transfer and try the attack a few more times if you don’t see more than $3,000 in the destination account.
Since the success of a race condition attack depends on luck, make sure you include instructions to try again if the first test fails. If the vulnerability exists, the attack should succeed eventually after a few tries.
鉴于竞态条件攻击的成功取决于运气,请确保包括再次尝试的指令,如果第一次测试失败。如果存在漏洞,则经过几次尝试后攻击最终应该会成功。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论