Question

A race condition becomes a vulnerability when it affects a security control mechanism. In those cases, attackers can induce a situation in which a sensitive action executes before a security check is complete. For this reason, race condition vulnerabilities are also referred to as time-of-check or time-of-use vulnerabilities.

当一种竞争条件影响了安全控制机制时，它就成为了一个漏洞。在这种情况下，攻击者可以导致一个敏感操作在安全检查完成之前执行。因此，竞争条件漏洞也被称为检查时间或使用时间漏洞。

Imagine that the two threads of the previous example are executing something a little more sensitive: the transfer of money between bank accounts. The application would have to perform three subtasks to transfer the money correctly. First, it has to check if the originating account has a high enough balance. Then, it must add money to the destination account. Finally, it must deduct the same amount from the originating account.

想象一下，前面示例中的两个线程正在执行更敏感的操作：银行账户之间的转账。应用程序必须执行三个子任务才能正确地转移资金。首先，它必须检查原始帐户是否具有足够高的余额。然后，它必须将钱添加到目标帐户中。最后，它必须从原始帐户中扣除相同金额。

Let’s say that you own two bank accounts, account A and account B. You have $500 in account A and $0 in account B. You initiate two money transfers of $500 from account A to account B at the same time. Ideally, when two money transfer requests are initiated, the program should behave as shown in Table 12-3 .

假设您拥有两个银行账户，账户 A 和账户 B。您在账户 A 中有 500 美元，在账户 B 中没有余额。您同时发起了两笔从账户 A 到账户 B 的 500 美元转账请求。理想情况下，当发起两笔转账请求时，程序应该按照表 12-3 的方式行为。

Table 12-3 : Normal Execution of Two Threads Operating on the Same Bank Account

表格 12-3：两个线程正常操作同一银行账户

	Thread 1	Thread 2	Balance of accounts A + B
Stage 1	Check account A balance ($500)		$500
Stage 2	Add $500 to account B		$1,000 ($500 in A, $500 in B)
Stage 3	Deduct $500 from account A		$500 ($0 in A, $500 in B)
Stage 4		Check account A balance ($0)	$500 ($0 in A, $500 in B)
Stage 5		Transfer fails (low balance)	$500 ($0 in A, $500 in B)

You end up with the correct amount of money in the end: a total of $500 in your two bank accounts. But if you can send the two requests simultaneously, you might be able to induce a situation in which the execution of the threads looks like Table 12-4 .

最终你将以正确的金额结尾：在两个银行账户中总共 500 美元。但是，如果你能同时发送两个请求，你可能会引发一个看起来像表 12-4 的线程执行情况。

Table 12-4 : Faulty Transfer Results Due to a Race Condition

表 12-4：由于竞态条件导致的故障转移结果

	Thread 1	Thread 2	Balance of accounts A + B
Stage 1	Check account A balance ($500)		$500
Stage 2		Check account A balance ($500)	$500
Stage 3	Add $500 to account B		$1,000 ($500 in A, $500 in B)
Stage 4		Add $500 to account B	$1,500 ($500 in A, $1,000 in B)
Stage 5	Deduct $500 from account A		$1,000 ($0 in A, $1,000 in B)
Stage 6		Deduct $500 from account A	$1,000 ($0 in A, $1,000 in B)

Note that, in this scenario, you end up with more money than you started with. Instead of having $500 in your accounts, you now own a total of $1,000. You made an additional $500 appear out of thin air by exploiting a race condition vulnerability!

请注意，在这种情况下，您最终会比开始时拥有更多的钱。您现在总共拥有$1,000，而不是账户中的$500。通过利用竞争条件漏洞，您显然从虚无中获得了额外的$500！

Although race conditions are often associated with financial sites, attackers can use them in other situations too, such as to rig online voting systems. Let’s say an online voting system performs three subtasks to process an online vote. First, it checks if the user has already voted. Then, it adds a vote to the vote count of the selected candidate. Finally, it records that that user has voted to prevent them from casting a vote again.

尽管竞争条件通常与金融网站相关联，但攻击者也可以在其他情况下使用它们，比如操纵在线投票系统。假设在线投票系统执行三个子任务来处理在线投票。首先，它检查用户是否已经投票。然后，它将选定候选人的投票添加到投票计数中。最后，它记录该用户已投票，以防止他们再次投票。

Say you try to cast a vote for candidate A twice, simultaneously. Ideally, the application should reject the second vote, following the procedure in Table 12-5 .

如果尝试同时投票两次给候选人 A，理想情况下，应用程序应拒绝第二次投票，遵循表 12-5 的程序。

Table 12-5 : Normal Execution of Two Threads Operating on the Same User’s Votes

表格 12-5：两个线程正常操作同一用户的投票。

	Thread 1	Thread 2	Votes for candidate A
Stage 1			100
Stage 2	Check whether the user has already voted (they haven’t)		100
Stage 3	Increase candidate A’s vote count		101
Stage 4	Mark the user as Already Voted		101
Stage 5		Check whether the user has already voted (they have)	101
Stage 6		Reject the user’s vote	101

But if the voting application has a race condition vulnerability, execution might turn into the scenario shown in Table 12-6 , which gives the users the power to cast potentially unlimited votes.

但如果投票应用程序存在竞争条件漏洞，执行可能会变成表 12-6 中显示的情况，这将赋予用户投票的潜在无限权利。

Table 12-6 : User Able to Vote Twice by Abusing a Race Condition

表格 12-6: 用户利用竞争条件投票两次

	Thread 1	Thread 2	Votes for candidate A
Stage 1			100
Stage 2	Check whether the user has already voted (they haven’t)		100
Stage 3		Check whether the user has already voted (they haven’t)	100
Stage 4	Increase candidate A’s vote count		101
Stage 5		Increase candidate A’s vote count	102
Stage 6	Mark the user as Already Voted		102
Stage 7		Mark the user as Already Voted	102

An attacker can follow this procedure to fire two, ten, or even hundreds of requests at once, and then see which vote requests get processed before the user is marked as Already Voted.

攻击者可以按照以下步骤一次性发送两个、十个或甚至数百个请求，然后观察在用户被标记为"已投票"之前哪个请求被处理。

Most race condition vulnerabilities are exploited to manipulate money, gift card credits, votes, social media likes, and so on. But race conditions can also be used to bypass access control or trigger other vulnerabilities. You can read about some real-life race condition vulnerabilities on the HackerOne Hacktivity feed ( https://hackerone.com/hacktivity?querystring=race%20condition/ ).

大多数竞态条件漏洞被用于操纵金钱、礼品卡积分、选票、社交媒体点赞等。但竞态条件也可以用于绕过访问控制或触发其他漏洞。您可以在 HackerOne Hacktivity Feed（https://hackerone.com/hacktivity?querystring=race%20condition/）上阅读一些实际的竞态条件漏洞。