Smashing the state machine: the true potential of web race conditions


For too long, web race condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples. In this paper, I'll introduce new classes of race condition that go far beyond the limit-overrun exploits you're probably already familiar with. With these I'll exploit both multiple high-profile websites and Devise, a popular authentication framework for Rails.

Aug. 22, 2023, 4:03 p.m. - by quas


Aug. 22, 2023, 4:03 p.m. - by quas

Aug. 22, 2023, 4:02 p.m. - by quas