The Need for Speed: Exploiting Race Conditions in Web Applications - Harriet Schofield

Описание: After noticing trends of vulnerabilities appearing in recent web application penetration tests, this talk focuses on how to identify and exploit these vulnerabilities (using BurpSuite), also touching on the implications of these if they’re found to exist in clients’ systems, ending with how to remediate them.

Time based username enumeration is seemingly becoming increasingly common, as developers are attempting to make their code as efficient and streamlined as possible. Because of this, it means that when logging into an application, valid usernames with invalid passwords take longer to evaluate than invalid usernames, since if the username is invalid then no additional checks are required on the password. Therefore, attackers can generate a list of valid usernames for the application.

Now, this may only be a low-risk issue if the application enforces other mitigating controls, such as account lockouts after a certain number of failed login attempts, or strong password policies. Both of these limit the potential for an attacker to successfully carry out a password brute force attack against their identified valid users.

However, using race conditions, account lockout policies can be bypassed. This can be done by sending a large number of login attempts (each with a different password in order to attempt brute forcing) to the application in parallel. If the application contains a race condition vulnerability, it will treat the group of requests sent in parallel as a single login attempt. Therefore, you can send significantly more attempts than the lockout policy allows. If an insecure password policy is in use (it has been observed that a number of companies aren’t enforcing comprehensive phrase deny-listing), this compounds the likelihood that one of the passwords attempted will result in a successful login, especially if supplemented with OSINT research on targeted users.

This chaining of vulnerabilities has been seen across a large number of our clients recently, including government, healthcare and infrastructure. It is an attack that is fairly simple to conduct, and can be overlooked in penetration testing. However, it is important to evaluate the presence of this, because it could result in unauthorised access and facilitate a considerable number of follow on attacks once an attacker has gained credentials.

#bsidesbelfast25 #securitybsides #bsidesbelfast #bsides