Difference between revisions of "Testing for Race Conditions (OWASP-AT-010)"

From OWASP
Jump to: navigation, search
(New page: {{Template:OWASP Testing Guide v3}} == Brief Summary == A race condition is a flaw that produces an unexpected result when timing of actions impact other actions. An example may be seen o...)
 
(Description of the Issue)
Line 8: Line 8:
 
In a web application environment, where multiple requests can be processed at a given time, developers may leave concurrency to be handled
 
In a web application environment, where multiple requests can be processed at a given time, developers may leave concurrency to be handled
 
by the framework, server or programming language.
 
by the framework, server or programming language.
The following example describes a potential concurrency problem in a transactional web application.
+
The following simplified example illustrates a potential concurrency problem in a transactional web application and relates to a joint savings account in which both users (threads) are logged into the same account and attempting a transfer.<br>
 
+
<br>
* EXAMPLE
+
Account A has 100 credits.<br>
 +
Account B has 100 credits.<br>
 +
<br>
 +
Both User 1 and User 2 want to transfer 10 credit from Account A to Account B. If the transaction was correct the outcome should be:<br>
 +
<br>
 +
Account A has 80 credits.<br>
 +
Account B has 120 credits.<br>
 +
<br>
 +
However, due to concurrency issues, the following result could be obtained:<br>
 +
<br>
 +
User 1 checks the value of Account A (=100 credits)<br>
 +
User 2 checks the value of Account A (=100 credits)<br>
 +
User 2 takes 10 credits from Account A (=90 credits) and put it in Account B (=110 credits)<br>
 +
User 1 takes 10 credits from Account A (Still believed to contain 100 credits) (=90 credits) and puts it into Account B (=120 credits).<br>
 +
<br>
 +
Result:
 +
Account A has 90 credits.<br>
 +
Account B has 120 credits.<br>
 +
<br>
  
 
==Black Box testing and example==
 
==Black Box testing and example==

Revision as of 14:29, 23 August 2008

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

Contents


Brief Summary

A race condition is a flaw that produces an unexpected result when timing of actions impact other actions. An example may be seen on a multithreaded application where actions are being performed on the same data. Race conditions, by their very nature, are difficult to test for.

Description of the Issue

Race conditions may occur when a process is critically or unexpectedly dependent on the sequence or timings of other events. In a web application environment, where multiple requests can be processed at a given time, developers may leave concurrency to be handled by the framework, server or programming language. The following simplified example illustrates a potential concurrency problem in a transactional web application and relates to a joint savings account in which both users (threads) are logged into the same account and attempting a transfer.

Account A has 100 credits.
Account B has 100 credits.

Both User 1 and User 2 want to transfer 10 credit from Account A to Account B. If the transaction was correct the outcome should be:

Account A has 80 credits.
Account B has 120 credits.

However, due to concurrency issues, the following result could be obtained:

User 1 checks the value of Account A (=100 credits)
User 2 checks the value of Account A (=100 credits)
User 2 takes 10 credits from Account A (=90 credits) and put it in Account B (=110 credits)
User 1 takes 10 credits from Account A (Still believed to contain 100 credits) (=90 credits) and puts it into Account B (=120 credits).

Result: Account A has 90 credits.
Account B has 120 credits.

Black Box testing and example

Gray Box testing and example

References

iSec Partners - Concurrency attacks in Web Applications http://isecpartners.com/files/iSEC%20Partners%20-%20Concurrency%20Attacks%20in%20Web%20Applications.pdf
B. Sullivan and B. Hoffman - Premature Ajax-ulation and You https://www.blackhat.com/presentations/bh-usa-07/Sullivan_and_Hoffman/Whitepaper/bh-usa-07-sullivan_and_hoffman-WP.pdf