HITB-Invoice-Logo

thank you for joining us!

Exploiting Race Condition Vulnerabilities in Web Applications

Date

August 26, 2022

Time

17:30

Track

CommSec Track

This talk deals with “race conditions” in web applications. From 2021 to 2022 we have seen an increase in race condition reports with huge bugbounty payouts affecting MS, AWS, Instagram and others, for example, leading to MFA-Bypass. According to MITRE it is still a big “research gap” and based on how easily race conditions are introduced into code and how difficult they are to detect, there are probably still a lot of vulnerable applications out there. This type of vulnerability allows an attacker to create unforeseen states as a result of overlapping and parallel program code sequences. By cleverly exploiting these conditions, advantages can be gained, such as bypassing anti-brute force mechanisms, overriding limits, overvoting, and other attack scenarios. As part of this talk a developed penetration testing tool with a distributed approach and a demo web application that is vulnerable to this type of attack is being presented. With help of the demo application and the race condition testing tool real-world attack scenarios will be demonstrated. Also results of tested SAST/DAST tools will be given to show how difficult it is to prevent and also test for race condition vulnerabilities.

The learning objects of the talk are in the following order:

  • Introduction to the Race Condition and TOCTOU vulnerabilities, how they work and why exploiting them can be attractive to an attacker, how little is known about them and perhaps too often overlooked in penetration testing.
  • How easily the vulnerability exists in various web programming languages. And in which frameworks the vulnerabilities exist by default (example of a vulnerable PHP code snippet with race condition – “would you find it in a code review?”).
  • Why our existing toolset consisting of DAST/SAST!/RASP/WAF etc. has difficulty preventing or detecting these vulnerabilities, and why it is necessary to look for race condition vulnerabilities as part of a penetration test.
  • Actual and impressive attack scenarios from bugbounty reports have been implemented in a vulnerable demo application and will be attacked during a live demo. The audience with the mindset of a breaker will learn how to test for race conditions during penetration testing.

Speakers

Researcher

National University Singapore

Dr. Wang Kailong is currently a research fellow at National University of Singapore (NUS). He received his PhD degree from School of Computing NUS in 2022. He has worked as a Research Assistant in NUS while pursuing his PhD degree from 2016 to 2021. His research interests include mobile and web security and privacy, and protocol verification. His works have appeared in the top conferences such as WWW and MobiCom.

Co-Founder & CTO

Authomize

Mr. Gal Diskin is a cybersecurity and AI researcher. He was previously the VP & head of Palo Alto Networks’ Israeli site, and is a serial entrepreneur. Mr. Diskin’s research has been featured in HITB, Defcon, Black Hat, CCC, and other conferences, spanning fields from low level security research such as hardware vulnerabilities, binary instrumentation, and car hacking to high level research on AI detection methods, Enterprise security, and Identity security. Mr. Diskin was also the technical lead and co-founder of Intel’s software security organization, as well as the CTO of Cyvera and HeXponent (co-founder) before their acquisition.

Senior Security Researcher

Huajiang “Kevin2600” Chen (Twitter: @kevin2600) is a senior security researcher. He mainly focuses on vulnerability research in wireless and Vehicle security. He is a winner of GeekPwn 2020 and also made to the Tesla hall of fame 2021. Kevin2600 has spoken at various conferences including KCON; DEFCON and CANSECWEST.

Security Researcher

Li Siwei is a security researcher. He specializes in Big data analysis and AI Security.

Founder, CEO

CloudSEK

Rahul Sasi is an Indian entrepreneur, Founder of CloudSEK, and a security expert. He was voted as the top influential Cyber Security person in 2015, he has made a significant open source contribution to the security landscape and is an invited speaker to over 20+ countries. He is part of the working committees of RBI and MeitY.
CloudSEK : https://cloudsek.com/
LinkedIn: https://www.linkedin.com/in/fb1h2s/

Senior Security Engineer

CloudSEK

Vishal Singh is working as a Senior Security Engineer at CloudSEK. His main responsibility includes handling the Research & Development of CloudSEK ASM. He loves automating manual effort tasks, and also likes net surfing & exploring new places in his free time.

Other Talks in This Track

LOCATION

CommSec Track

DATE

August 26

TIME

16:30

LOCATION

CommSec Track

DATE

August 26

TIME

17:30

LOCATION

CommSec Track

DATE

August 26

TIME

12:00