Exploiting and Protecting Against Race Conditions | Lightning Security 一文介绍了Race Condition 的测试方法.
常出现问题的地方
需要进行数据库操作的地方. 由于有延时,如果没有 Lock, 当 Application同时间接受多个请求, 数据库还没有完成上一个请求的操作, 下一个请求就来了.
In short, you should look for race conditions whenever a one-time action occurs, whether sending money, redeeming coupons, or casting a vote.
测试方式
- Burp 拦截 traffic
- Copy traffic as a curl command
- Open a terminal
- Run {command} & {command}
Ref
Exploiting and Protecting Against Race Conditions | Lightning Security