Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/javanxd/raceocat

Make exploiting race conditions in web applications highly efficient and ease-of-use.
https://github.com/javanxd/raceocat

bugbounty race-conditions race-detection racer research-and-development

Last synced: about 2 months ago
JSON representation

Make exploiting race conditions in web applications highly efficient and ease-of-use.

Host: GitHub
URL: https://github.com/javanxd/raceocat
Owner: JavanXD
Created: 2020-12-12T22:00:31.000Z (about 4 years ago)
Default Branch: master
Last Pushed: 2024-05-10T17:58:44.000Z (8 months ago)
Last Synced: 2024-05-10T18:56:00.393Z (8 months ago)
Topics: bugbounty, race-conditions, race-detection, racer, research-and-development
Language: JavaScript
Homepage:
Size: 5.66 MB
Stars: 19
Watchers: 5
Forks: 7
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # Race-o-cat 

> Make exploiting race conditions in web applications highly efficient and ease-of-use.

## Overview

- [Architecture Overview](#architecture-overview)

- [List of Projects](#list-of-projects)

- [Demo](#demo)

- [To-Dos](#to-dos)

- [License](#license)

- [Contributing](#contributing)

- [Author Information](#author-information)

## Architecture Overview

![Race Conditions](./docs/architecture/Race-Architecture.png)

## List of Projects  

### - [Browser Extension for Firefox](./browser-extension/#readme)

Firefox browser extension for live request monitoring and intercepting the desired request which will be forwarded to the Race Dispatcher.

### - [Race Routine Infrastructure](./race-routine-infrastructure/#readme)

Race Dispatcher and Race Script to execute parallel requests against any given endpoint.

### - [OWASP Zed Attack Proxy (ZAP) Extender](./zap-extender/#readme)

ZAP Extensions to test for Race Conditions.

### - [Vulnerable web application](./vuln-webapp/#readme)

A web application with typical vulnerable use cases such as withdrawing money or excessive poll votes.

## Demo

A demo of the tool and a introduction to race condition vulnerabililties can be watched in this video, which got recorded at Hack in the Box Conference (HITBSecConf) 2022 Singapore:

[![Exploiting Race Condition Vulnerabilities In Web Applications – Javan Rasokat](http://img.youtube.com/vi/rSizIebpBo8/0.jpg)](https://www.youtube.com/watch?v=rSizIebpBo8&list=PLmv8T5-GONwRu8F1SgdBjP6XydFJipKoa)

In addition a PDF of the research can be found [here](https://opus-htw-aalen.bsz-bw.de/frontdoor/index/index/docId/1327) (in German). 

## To Dos

The following action items are considered to be implemented in a future version (happy for any contributions!):

* Improve timing (by using ntp, a websocket push, or anything else) of the race server to decrease the time gap between dispatching to multiple race servers OR allow a scheduled timing option

* Allow downloading of the HTTP-Responses to analyse the success of the attack

* Allow multiple, different parameters/content of the HTTP-Request to allow improved exploitation of load balancers with sticky sessions and other attack scenarios that require custom parameters

## License

Code of Raceocat is licensed under the Apache License 2.0.

## Contributing

Feel free to open issues / pull requests if you want to contribute to this project.

## Author Information

You can reach me on Twitter [@javanrasokat](https://twitter.com/javanrasokat).