wstg
wstg copied to clipboard
OWASP
Re-establish content with regard to testing for race conditions
I was trying to map Testing for Race Conditions (OWASP-AT-010) from OTGv3 ( https://wiki.owasp.org/index.php/Testing_for_Race_Conditions_(OWASP-AT-010) ) to the latest version but I can't find a section talking about race conditions.
The only one I found is WSTG-INFO-07 where it mentions this: Race - tests multiple concurrent instances of the application manipulating the same data.
But it lacks most of the content that was previously in OTGv3.
https://github.com/OWASP/wstg/blob/master/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/08-Testing_for_Session_Puzzling.md
Looks like it was removed in 4.0: https://wiki.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
Yes I saw that 4.0 doesn't have it. I don't get why this was removed, given that this is a very specific issue and there are even new techniques to exploit this, for example using BURP Suite Turbo Intruder plugin (https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack)
I can't say why it might have been removed 8-10 years ago. If someone feels like reviving it I'm good with that. The 3.0 entry is awfully sparse on useful information.
I will try and review the content (from v3) and cross reference it with other locations in the guide to see where it was ported. Pretty doubtful it has been removed, more so renamed or rewritten. Should have an answer by early next week (unless I take a surprise vacation)
Weird. @MatOwasp might you know more on this. I was not able to find anything on this matter.
Yes, I remember we decided to drop it because not really executed during a test.
Reference testbed:
- http://racetheweb.io/bank
- https://github.com/insp3ctre/race-the-web
@kingthorin Sorry for the delay in the answer. At the moment I'm not able to tackle this but will try to do it in the near future. I also suggested it in the pool of collaboration ideas of my local OWASP chapter to see if anyone wants to take it sooner than me.
Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.
Hi everyone, Should we add this test case (Test case for Race Condition) into section "4.10 Business Logic Testing"?
Edit: Yes adding it under business logic makes sense. Whatever the new ref should be.
