Race Condition Attack – exemplary use in web application

Race Condition is a method of attack consisting of executing a query in a shorter time than the verification of the conditions of a given application action, e.g., when uploading files to the server, the time between saving the file on the disk and verifying its type or extension allows you to execute a query to the stored resource. Such a process, described in a pseudo language, would look like this:

As you can see in the example above, the file is uploaded first and then its extension is verified. The time it takes for the script to verify the extension of the file and, if it is incompatible with deleting it, allows the script to refer to the file until it still exists.

How to carry out this type of attack

Simultaneously upload the file to the server and refer to the uploaded resource. For demonstration purposes we have created a simple code in PHP, allowing for a file upload.

Let’s assume that the above code is saved on the local station as “upload.php”. The code may seem safe, but only at first glance, because despite the verification of the file extension, and even its type – it is simply verified in the wrong order.

In order to launch an attack on the application mentioned above, hundreds of upload queries have to be sent simultaneously.

File upload query:

pic. nr. 1 file upload query

The PHP code has been deliberately integrated into a fragment of the PNG image in order to bypass “mime” filters.
Query calling action with our shell (version for Linux OS):

What next?

Now it is enough to run the appropriate script or iterations with Intruder in BURP/ZAP, which will perform hundreds of attempts to upload the file for us and call an action in our shell, aimed to copy itself to a safe place for further exploitation.

If the script checking the value of the extension does not manage to delete the malicious file and our program invokes copying action, we will get access to a stable shell version at the address:

How to protect yourself

It is important to run (necessary) security tests on contents of a file before it is uploaded to a public directory.

Safe version of the code (not including XSS attack 😉 ):