Raceocat
Raceocat copied to clipboard
Make exploiting race conditions in web applications highly efficient and ease-of-use.
Race-o-cat
Make exploiting race conditions in web applications highly efficient and ease-of-use.
Overview
- Architecture Overview
- List of Projects
- Demo
- To-Dos
- License
- Contributing
- Author Information
Architecture Overview
List of Projects
- Browser Extension for Firefox
Firefox browser extension for live request monitoring and intercepting the desired request which will be forwarded to the Race Dispatcher.
- Race Routine Infrastructure
Race Dispatcher and Race Script to execute parallel requests against any given endpoint.
- OWASP Zed Attack Proxy (ZAP) Extender
ZAP Extensions to test for Race Conditions.
- Vulnerable web application
A web application with typical vulnerable use cases such as withdrawing money or excessive poll votes.
Demo
A demo of the tool and a introduction to race condition vulnerabililties can be watched in this video, which got recorded at Hack in the Box Conference (HITBSecConf) 2022 Singapore:
In addition a PDF of the research can be found here (in German).
To Dos
The following action items are considered to be implemented in a future version (happy for any contributions!):
- Improve timing (by using ntp, a websocket push, or anything else) of the race server to decrease the time gap between dispatching to multiple race servers OR allow a scheduled timing option
- Allow downloading of the HTTP-Responses to analyse the success of the attack
- Allow multiple, different parameters/content of the HTTP-Request to allow improved exploitation of load balancers with sticky sessions and other attack scenarios that require custom parameters
License
Code of Raceocat is licensed under the Apache License 2.0.
Contributing
Feel free to open issues / pull requests if you want to contribute to this project.
Author Information
You can reach me on Twitter @javanrasokat.