cispa_all_3028.pdf (785.81 kB)

Raccoon: Automated Verification of Guarded Race Conditions in Web Applications

Download (785.81 kB)
conference contribution
posted on 2023-11-29, 18:12 authored by Simon Koch, Tim Sauer, Martin Johns, Giancarlo PellegrinoGiancarlo Pellegrino
Web applications are distributed, asynchronous applications that can span multiple concurrent processes. They are intended to be used by a large amount of users at the same time. As concurrent applications, web applications have to account for race conditions that may occur when database access happens concurrently. Unlike vulnerability classes, such as XSS or SQL Injection, dbms based race condition flaws have received little attention even though their impact is potentially severe. In this paper, we present Raccoon, an automated approach to detect and verify race condition vulnerabilities in web application. Raccoon identifies potential race conditions through interleaving execution of user traces while tightly monitoring the resulting database activity. Based on our methodology we create a proof of concept implementation. We test four different web applications and ten use cases and discover six race conditions with security implications. Raccoon requires neither security expertise nor knowledge about implementation or database layout, while only reporting vulnerabilities, in which the tool was able to successfully replicate a practical attack. Thus, Raccoon complements previous approaches that did not verify detected possible vulnerabilities.


Preferred Citation

Simon Koch, Tim Sauer, Martin Johns and Giancarlo Pellegrino. Raccoon: Automated Verification of Guarded Race Conditions in Web Applications. In: Selected Areas in Cryptography (SAC). 2020.

Primary Research Area

  • Empirical and Behavioral Security

Secondary Research Area

  • Threat Detection and Defenses

Name of Conference

Selected Areas in Cryptography (SAC)

Legacy Posted Date


Open Access Type

  • Unknown


@inproceedings{cispa_all_3028, title = "Raccoon: Automated Verification of Guarded Race Conditions in Web Applications", author = "Koch, Simon and Sauer, Tim and Johns, Martin and Pellegrino, Giancarlo", booktitle="{Selected Areas in Cryptography (SAC)}", year="2020", }

Usage metrics


    No categories selected


    Ref. manager