Smashing the State Machine - The True Potential of Web Race Conditions

Explore the untapped potential of web race condition attacks in this conference talk from Nullcon Goa. Delve into new classes of race conditions that go beyond traditional limit-overrun exploits, uncovering vulnerabilities in website state machines. Learn techniques to manipulate states and transitions, enabling the forging of trusted data, misrouting of tokens, and masking of backdoors. Discover a refined methodology for efficient testing, recognizing high-risk patterns, and identifying subtle clues. Gain insights into overcoming network jitter and creating reproducible attacks using precision tooling adapted from HTTP Desync Attack research. Understand how to tailor attacks to different HTTP versions and target architectures, exploiting protocol-level design decisions and server implementation quirks. Access free online labs to immediately apply newly acquired skills in web security testing.