race-the-web: Tests for race conditions in web applications

by do son · Published August 16, 2017 · Updated March 14, 2020

Race The Web

Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) simultaneously, and then compare the responses from the server for uniqueness. Includes a number of configuration options.

The Vulnerability

A race condition is a flaw that produces an unexpected result when the timing of actions impact other actions. An example may be seen on a multithreaded application where actions are being performed on the same data. Race conditions, by their very nature, are difficult to test for.

OWASP

Race conditions are a well-known issue in software development, especially when you deal with fast, multi-threaded languages.

However, as network speeds get faster and faster, web applications are becoming increasingly vulnerable to race conditions. Often because of legacy code that was not created to handle hundreds or thousands of simultaneous requests for the same function or resource.

The problem can often only be discovered when a fast, multi-threaded language is being used to generate these requests, using a fast network connection; at which point it becomes a network and logic race between the client application and the server application.

That is where Race The Web comes in. This program aims to discover race conditions in web applications by sending a large number of requests to a specific endpoint at the same time. By doing so, it may invoke unintended behavior on the server, such as the duplication of user information, coupon codes, bitcoins, etc.

Warning: Denial of service may be an unintended side-effect of using this application, so please be careful when using it, and always perform this kind of testing with the explicit permission of the server owner and web application owner.