Session Race Conditions and Session Puzzling – Now Simplified
A few months ago Shay Chen, Senior Manager at Hacktics Advanced Security Center (HASC) published a paper about Session Puzzling, a new application level attack vector of critical severity and numerous uses, but for some bizarre reasons, most of the responses I got was that the attack was too complicated to comprehend all it once.
Temporal Session Race Conditions (TSRC) is yet another a new application level vulnerability (presented in September 15, 2011, in local OWASP chapter meeting) that extends the capabilities of session puzzling, enables the exploitation of race conditions without latency and provides a new purpose for application denial of service attack.
The attack generally extends the lifespan of temporary session variables (session calculations and assignments with a lifespan of milliseconds) by increasing the latency of the following lines of code through the use of specific layer targeted denial of service attacks.
This time Shay Chen have created several demonstration movies in order to properly explain the exposures (The new TSRC exposure and Session Puzzling), and in addition, published a presentation, a test assisting tool and a new version of the training kit.
The demonstration movies, presentation can be found in the puzzlemall project homepage, and there's a post in his blog that explains the whole subject:
The following movies demonstrate a few simple TSRC attacks:
- Exploiting Temporal Session Race Conditions via Connection Pool Consumption
- Exploiting Temporal Session Race Conditions via RegEx DoS
The following short movies demonstrate a few simple session puzzling sequences
- Authentication Bypass via Session Puzzling (Abusing common session variables)
- User Impersonation via Session Puzzling (Abusing common session variables)
- Session Puzzling via Redirection Prevention (Abusing Premature Session Population)
- Bypassing Restrictions in Multiphase Processes via Session Puzzling (Abusing Common Session Flags)
