Web applications are distributed, asynchronous applications that can span multiple concurrent processes. They are intended to be used by a large amount of users at the same time. As concurrent applications, web applications have to account for race conditions that may occur when database access happens concurrently. Unlike vulnerability classes, such as XSS or SQL Injection, dbms based race condition flaws have received little attention even though their impact is potentially severe. In this paper, we present Raccoon, an automated approach to detect and verify race condition vulnerabilities in web application. Raccoon identifies potential race conditions through interleaving execution of user traces while tightly monitoring the resulting database activity. Based on our methodology we create a proof of concept implementation. We test four different web applications and ten use cases and discover six race conditions with security implications. Raccoon requires neither security expertise nor knowledge about implementation or database layout, while only reporting vulnerabilities, in which the tool was able to successfully replicate a practical attack. Thus, Raccoon complements previous approaches that did not verify detected possible vulnerabilities.
History
Preferred Citation
Simon Koch, Tim Sauer, Martin Johns and Giancarlo Pellegrino. Raccoon: Automated Verification of Guarded Race Conditions in Web Applications. In: Selected Areas in Cryptography (SAC). 2020.
Primary Research Area
Empirical and Behavioral Security
Secondary Research Area
Threat Detection and Defenses
Name of Conference
Selected Areas in Cryptography (SAC)
Legacy Posted Date
2020-01-18
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_3028,
title = "Raccoon: Automated Verification of Guarded Race Conditions in Web Applications",
author = "Koch, Simon and Sauer, Tim and Johns, Martin and Pellegrino, Giancarlo",
booktitle="{Selected Areas in Cryptography (SAC)}",
year="2020",
}