Smashing the state machine: the true potential of web race conditions
(portswigger.net)
from tedu@inks.tedunangst.com to inks@inks.tedunangst.com on 10 Aug 2023 16:24
https://inks.tedunangst.com/l/5024
from tedu@inks.tedunangst.com to inks@inks.tedunangst.com on 10 Aug 2023 16:24
https://inks.tedunangst.com/l/5024
HTTP request processing isn’t atomic - any endpoint might be sending an application through invisible sub-states. This means that with race conditions, everything is multi-step. The single-packet attack solves network jitter, making it as though every attack is on a local system. This exposes vulnerabilities that were previously near-impossible to detect or exploit.
threaded - newest