Concurrency Attacks On Web Applications presented at BlueHat 2008

by Scott Stender (iSEC Partners ), Alex Vidergar (iSEC Partners ),

Tags: Security

Summary : Modern Web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable Web site in a matter of minutes. However, these attributes often encourage programming practices that make managing state difficult for a typical programmer.
Web application developers must carefully manage access to all resources that can be shared by threads. Global variables, session variables, backend systems, and application-specific data stores are common examples of such resources.
Concurrency flaws result when access to shared resources is not managed properlyósomething that is easy to do when the development environment purposefully encapsulates and abstracts the resources that need to be managed! Attackers take notice when manipulating those resources carries a security impact.
Each prevalent class of security flaw shares a common attribute: mistakes happen when doing the right thing is difficult. It is the opinion of the the presenters that concurrency flaws, especially in the context of Web applications, share this attribute. The presenters will provide insight into the ease with which concurrency flaws can be introduced into systems, offer guidance on evaluating the security impact of such flaws, and discuss strategies for eliminating such flaws that will be helpful to developers and testers alike.