Long thought to be relegated to the domain of fast, multithreaded desktop applications, race conditions are a well known issue in software development, and they often result in program crashes and poor usability. Most instances of race conditions can be difficult to test, as they may only occur in one in one thousand uses, and under very specific conditions. Due to this fact, it can be rare that these bugs manifest themselves with any regularity. But what happens when a race condition exists in an application that accepts thousands of concurrent connections? Suddenly the likelihood of unintended behaviour increases exponentially, and the consequences can be devastating.
In a web application, user sessions are often treated the same as desktop user sessions- a user is expected to perform a single task at a time, while the server processes the information and performs the indented functionality for that user. But what would happen if a user tried to perform the same task hundreds or thousands of times simultaneously? If the proper checks and defensive measures are not in place, databases get confused, "one-time-use" becomes a relative term, and "limited" becomes "unlimited".
The focus of this talk is the security implications of this exact scenario, detailing specific examples where malicious users could cause damage or profit from a race-condition flaw in a web application. A custom open-source tool will also be introduced to help security researchers and developers easily check for this class of vulnerability in web applications.