On Race Vulnerabilities in Web Applications

  • Roberto Paleari
  • Davide Marrone
  • Danilo Bruschi
  • Mattia Monga
Conference paper

DOI: 10.1007/978-3-540-70542-0_7

Volume 5137 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Paleari R., Marrone D., Bruschi D., Monga M. (2008) On Race Vulnerabilities in Web Applications. In: Zamboni D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2008. Lecture Notes in Computer Science, vol 5137. Springer, Berlin, Heidelberg

Abstract

A web programmer often conceives its application as a sequential entity, thus neglecting the parallel nature of the underlying execution environment. In this environment, multiple instances of the same sequential code can be concurrently executed. From such unexpected parallel execution of intended sequential code, some unforeseen interactions could arise that may alter the original semantic of the application as it was intended by the programmer. Such interactions are usually known as race conditions.

In this paper, we discuss the impact of race condition vulnerabilities on web-based applications. In particular, we focus on those race conditions that could arise because of the interaction between a web application and an underlying relational database. We introduce a dynamic detection method that, during our experiments, led to the identification of several race condition vulnerabilities even in mature open-source projects.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Roberto Paleari
    • 1
  • Davide Marrone
    • 1
  • Danilo Bruschi
    • 1
  • Mattia Monga
    • 1
  1. 1.Dipartimento di Informatica e ComunicazioneUniversità degli Studi di MilanoMilanoItaly