search
githubEdit

NodeJS - Race Condition File-Write

hashtag
Running the app on Docker

$ sudo docker pull blabla1337/owasp-skf-lab:js-racecondition-file-write
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:js-racecondition-file-write
circle-check

Now that the app is running let's go hacking!

hashtag
Reconnaissance

hashtag
Step1

We can download a file from the server by doing a GET request to the server.

Let's try:

Once we download the file we can see whatever we add to the URL is being written in a file called shared-file.

hashtag
Step 2

As the application suggests, there is a Race condition vulnerability in this app, let's try to find it.

If we look at the code we see that the application gets the query parameter, writes to a file called shared-file.txt, then opens the file and send it back as a response.

hashtag
Step 3

We have a very small window between the writing of the file:

and the response:

Maybe if we have multiple users on this application at the same time we might be able to intercept someone else's query.

hashtag
Exploitation

In order to do that we must send requests with high frequency.

Doing it manually is practically impossible, so we create a script that does that for us:

and in the meantime we will send a couple requests from Burp:

If we look in the logs we will see:

hashtag
Additional sources

https://wiki.owasp.org/index.php/Testing_for_Race_Conditions_(OWASP-AT-010)

PreviousPython - Race Condition File-WriteNextJava - Race Condition File-Write

Last updated

Was this helpful?