author: Rob van Emous
title: Towards Systematic Black-Box Testing for Exploitable Race Conditions in Web Apps
keywords: security
topics: Dependability, security and performance
committee: Marieke Huisman
started: September 2018


As web applications get more complicated and more integrated in our daily lives, securing them against known cyberattacks is of great importance. Performing security tests is the main way to discover the current risks and act accordingly. Therefore, numerous vulnerability lists and testing guidelines are created and maintained by security institutions like SANS, MITRE, Certified Secure, and OWASP. These lists are not meant to be exhaustive, but as the introduction in the Common Weakness Enumeration (CWE) of MITRE and SANS by (Martin, Brown, Paller, Kirby, & Christey, 2011) puts it: they “(..) evaluated each weakness based on prevalence, importance, and likelihood of exploit”. In this research, we will focus on testing for exploitable race conditions in web apps from a black-box perspective. Race conditions are known for a very long time as research by (Abbott, et al., 1976) shows. Still, they are a type of security vulnerability often not included in these lists due to its ungraspable nature as it is both unlikely to be exploited and difficult to test for. Based on the lack of research in this field, we argue that especially in the web-environment, it has resulted in an underestimation of the risks involved. The races continue to show up in web apps and when exploited could have a significant impact as a recent security blog by (Jadon, 2018) shows. This impact ranges from circumventing any limited-usage functionality like coupon redeeming, to enabling other types of security vulnerabilities like privilege escalation or a Denial of Service (DoS). In this research, we try to make black-box testing for race conditions easier by clearly defining where they could occur in web apps, what their impact would be and how they can be made more likely to occur. Based on this and a list of requirements that a new testing technique would have to meet to be useful in practice, a proof of concept tool is developed. The tool is evaluated by using it on a number of actual web apps while testing its completeness and usability. This tool should guide security testers in searching for exploitable race conditions in a systematic way.