Race Condition: The biggest security threat in modern web applications

What Is a Race Condition Vulnerability?

A race condition attack happens when a computing system that is designed to handle tasks in a specific sequence is forced to perform two or more operations simultaneously. This technique takes advantage of a time gap between the moment a service is initiated and the moment a security control takes effect. 

This attack, which depends on multithreaded applications, can be delivered in one of two ways: interference caused by untrusted processes (essentially a piece of code that slips into a sequence between steps of a secure programs), and interference caused by a trusted process, which may have the “same” privileges. Without proper controls, different processes can interfere with each other. Other names used to refer to this vulnerability include Time of Check/Time of Use or TOC/TOU attacks.

An ideal Scenario:

There are 2 persons, let us name them as Alice and Bob. Assuming Alice has $100 in his bank account and Bob has $0 in his bank account. The goal is to transfer more money than the available account balance. 

1. Bob asks Alice to send $200. Alice can transfer $100 at max and after that, he will get a message “Insufficient Balance”. This situation is obvious. 
2. Alice logs into his bank account and initiates a transaction of $100. He then captures this transfer request using a web proxy tool and sends it to the Intruder tab. He increases the number of threads to 25 instead of the default value and selects the payload type as null payload, as he is going to replay this captured request as it is by sending multiple requests simultaneously. 
3. Alice then starts the Intruder attack and observes the results. Since there is a delay between when the server checks Alice’s balance and sends the money. He ends up with $-100 in his account and Bob gets $200 ($100 as mentioned in the Initial Transfer request + addition of extra $100 due to Race Condition vulnerability since this application has simultaneously processed one of the Transfer requests from the bunch of 25 threads before the Initial request completes its entire checks and operations). Good news for Alice and the bad news for the bank.  

Note: The success of the attackers would depend on the process of scheduling algorithm of the server.

Potential Impact:

1. Can redeem the same coupon multiple times
2. Can withdraw more money during a money transfer 
3. Can cast multiple votes where a user is limited to only one vote 

Figure 1: An example of Race Condition

What Happens During a Race Condition Attack?

Web applications, file systems, and networking environments are all vulnerable to a race condition attack. Attackers might target an access control list (ACL), a payroll or human resources database, a transactional system, a financial ledger, or some other data repository. Although race condition attacks don’t happen frequently — because they’re relatively difficult to engineer and attackers must exploit a very brief window of opportunity — when they do happen, they can lead to serious repercussions, including a system granting unauthorized privileges. What’s more, race condition attacks are inherently difficult to detect.

Remediation:

The best way to prevent a race condition is through resource locks. This ensures that at any given point in time, at most one thread can modify the database. You can also implement CSRF tokens in a web application as a second layer of defence which makes it more difficult to automate the large number of requests (as described in the attack scenario) required to trigger a Race Condition. 

How to Identify:

Look for the application functionality wherein a user can tamper with the sequence of the events like applying the same discount code twice at the same moment. This can be done by sending multiple requests to the server simultaneously. 

Usually, race conditions can affect applications that apply mathematical functions like add and subtract, for example, money transfers, modifying a product price by applying a gift card or discount voucher, and so on. 

Race condition bugs are mostly on the endpoints which deal with adding, removing, and changing of a resource. This will occur mostly in multi-threaded applications. So, having a detailed understanding of the functionalities of an application would help detect such an attack. Spending some time as a user to understand the application functionalities is the key factor.  

Tool:

A Web Application Proxy such as Burp Suite. 

The above blog is one of the many steps taken by our team at AFour Technologies towards our continuous efforts of educating businesses about various security threats. If this is something you or your business is also concerned about, our security experts would love to have a conversation with you.