Exploiting and Protecting Against Race Conditions

Exploiting and Protecting Against Race Conditions | Lightning Security 一文介绍了Race Condition 的测试方法.

常出现问题的地方

需要进行数据库操作的地方. 由于有延时,如果没有 Lock, 当 Application同时间接受多个请求, 数据库还没有完成上一个请求的操作, 下一个请求就来了.

In short, you should look for race conditions whenever a one-time action occurs, whether sending money, redeeming coupons, or casting a vote.

测试方式

  1. Burp 拦截 traffic
  2. Copy traffic as a curl command
  3. Open a terminal
  4. Run {command} & {command}

Ref

Exploiting and Protecting Against Race Conditions | Lightning Security

Show Comments