Raccoon: Automated Verification of Guarded Race Conditions in Web Applications

Koch, Simon and Sauer, Tim and Johns, Martin and Pellegrino, Giancarlo
(2020) Raccoon: Automated Verification of Guarded Race Conditions in Web Applications.
In: The 35th ACM/SIGAPP Symposium On Applied Computing, March 30-April 3, 2020, Brno, Czech Republic.
Conference: SAC ACM Symposium on Applied Computing

raccoon_acmsac2020.pdf - Published Version

Download (804kB) | Preview


Web applications are distributed, asynchronous applications that can span multiple concurrent processes. They are intended to be used by a large amount of users at the same time. As concurrent applications, web applications have to account for race conditions that may occur when database access happens concurrently. Unlike vulnerability classes, such as XSS or SQL Injection, dbms based race condition flaws have received little attention even though their impact is potentially severe. In this paper, we present Raccoon, an automated approach to detect and verify race condition vulnerabilities in web application. Raccoon identifies potential race conditions through interleaving execution of user traces while tightly monitoring the resulting database activity. Based on our methodology we create a proof of concept implementation. We test four different web applications and ten use cases and discover six race conditions with security implications. Raccoon requires neither security expertise nor knowledge about implementation or database layout, while only reporting vulnerabilities, in which the tool was able to successfully replicate a practical attack. Thus, Raccoon complements previous approaches that did not verify detected possible vulnerabilities.


Actions (login required)

View Item View Item