pentest-race-conditions
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChinesePentest Race Conditions
渗透测试中的竞态条件
Purpose
测试目的
Exploit applications that fail to handle concurrent requests atomically — enabling double-spend, limit bypass, privilege escalation through parallel requests. Absent from standard WSTG categories but critical in real-world assessments.
针对无法原子化处理并发请求的应用进行利用——通过并行请求实现双花、绕过限制、权限提升。该内容未纳入标准WSTG分类,但在实际评估中至关重要。
Prerequisites
前置条件
Authorization Requirements
授权要求
- Written authorization with explicit scope for concurrency testing
- Test accounts with balances, quotas, or limited-use resources
- Rollback plan for financial or state-mutating operations
- Rate limit awareness — confirm acceptable burst volume with target owner
- 书面授权:明确包含并发测试的范围
- 测试账号:拥有余额、配额或有限使用资源的账号
- 回滚计划:针对涉及财务或状态变更的操作制定回滚方案
- 速率限制认知:与目标方确认可接受的突发请求量
Environment Setup
环境搭建
- Burp Suite Professional with Turbo Intruder extension
- Python 3.x with asyncio/aiohttp for parallel request scripting
- GNU parallel or xargs for shell-based concurrency
- Multiple authenticated sessions (separate cookies/tokens)
- 带有Turbo Intruder扩展的Burp Suite Professional
- 配备asyncio/aiohttp的Python 3.x,用于编写并行请求脚本
- GNU parallel或xargs,用于基于Shell的并发测试
- 多个已认证会话(独立的Cookie/令牌)
Core Workflow
核心工作流程
- Target Identification: Identify race-prone operations — balance transfers, coupon redemption, inventory purchase, vote/like systems, token generation, file operations.
- Single-Endpoint Races: Send N identical requests simultaneously to bypass "one per user" limits, duplicate transactions (limit-overrun).
- Multi-Endpoint TOCTOU: Exploit time gap between check and use — validate coupon then apply coupon, check balance then debit.
- Session-Level Races: Parallel password change + session refresh, simultaneous role change + action execution.
- Database-Level Races: Exploit missing row-level locks, test optimistic vs pessimistic concurrency, trigger deadlocks.
- Timing Synchronization: Use single-packet attack technique (Turbo Intruder) to synchronize requests within microseconds.
- Impact Documentation: Document financial/operational impact with precise reproduction steps and timing requirements.
- 目标识别:识别易受竞态条件影响的操作——余额转账、优惠券兑换、库存购买、投票/点赞系统、令牌生成、文件操作。
- 单端点竞态:同时发送N个相同请求,绕过“每个用户限一次”的限制,实现重复交易(超限)。
- 多端点TOCTOU:利用检查与使用之间的时间差——先验证优惠券再使用优惠券,先检查余额再扣款。
- 会话级竞态:并行执行密码修改+会话刷新、同时进行角色变更+操作执行。
- 数据库级竞态:利用缺失的行级锁,测试乐观与悲观并发控制,触发死锁。
- 时间同步:使用单数据包攻击技术(Turbo Intruder)在微秒级同步请求。
- 影响记录:记录财务/业务影响,包含精确的复现步骤和时间要求。
Tool Categories
工具分类
| Category | Tools | Purpose |
|---|---|---|
| Timing Attacks | Turbo Intruder, race-the-web | Microsecond-synchronized parallel requests |
| Async Scripting | Python asyncio/aiohttp, httpx | Custom race condition scripts |
| Shell Concurrency | GNU parallel, xargs, curl | Quick parallel request testing |
| Proxy Analysis | Burp Suite Repeater | Request replay and timing observation |
| Database Monitoring | pg_stat_activity, SHOW PROCESSLIST | Observe lock contention and deadlocks |
| 分类 | 工具 | 用途 |
|---|---|---|
| 时序攻击 | Turbo Intruder, race-the-web | 微秒级同步并行请求 |
| 异步脚本 | Python asyncio/aiohttp, httpx | 自定义竞态条件脚本 |
| Shell并发 | GNU parallel, xargs, curl | 快速并行请求测试 |
| 代理分析 | Burp Suite Repeater | 请求重放与时间观察 |
| 数据库监控 | pg_stat_activity, SHOW PROCESSLIST | 观察锁竞争与死锁 |
References
参考资料
- - Tool function signatures and parameters
references/tools.md - - Attack pattern definitions and test vectors
references/workflows.md
- - 工具函数签名与参数
references/tools.md - - 攻击模式定义与测试向量
references/workflows.md