A web programmer often conceives its application as a sequential entity, thus neglecting the parallel nature of the underlying execution environment. In this environment, multiple instances of the same sequential code can be concurrently executed. From such unexpected parallel execution of intended sequential code, some unforeseen interactions could arise that may alter the original semantic of the application as it was intended by the programmer. Such interactions are usually known as race conditions. In this paper, we discuss the impact of race condition vulnerabilities on web-based applications. In particular, we focus on those race conditions that could arise because of the interaction between a web application and an underlying relational database. We introduce a dynamic detection method that, during our experiments, led to the identification of several race condition vulnerabilities even in mature open-source projects.

On race vulnerabilities in web applications / R. Paleari, D. Marrone, D.M. Bruschi, M. Monga - In: Detection of Intrusions and Malware, and Vulnerability Assessment : 5th International Conference, DIMVA 2008, Paris, France, July 10-11, 2008 : Proceedings / [a cura di] D. Zamboni. - Berlin : Springer, 2008 Jul. - ISBN 9783540705413. - pp. 126-142 (( Intervento presentato al 5. convegno DIMVA - Conference on Detection of Intrusions and Malware & Vulnerability Assessment tenutosi a Parigi nel 2008 [10.1007/978-3-540-70542-0_7].

On race vulnerabilities in web applications

R. Paleari;D.M. Bruschi;M. Monga
2008

Abstract

A web programmer often conceives its application as a sequential entity, thus neglecting the parallel nature of the underlying execution environment. In this environment, multiple instances of the same sequential code can be concurrently executed. From such unexpected parallel execution of intended sequential code, some unforeseen interactions could arise that may alter the original semantic of the application as it was intended by the programmer. Such interactions are usually known as race conditions. In this paper, we discuss the impact of race condition vulnerabilities on web-based applications. In particular, we focus on those race conditions that could arise because of the interaction between a web application and an underlying relational database. We introduce a dynamic detection method that, during our experiments, led to the identification of several race condition vulnerabilities even in mature open-source projects.
Settore INF/01 - Informatica
lug-2008
Book Part (author)
File in questo prodotto:
Non ci sono file associati a questo prodotto.
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2434/55385
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 21
  • ???jsp.display-item.citation.isi??? 16
social impact