TSRC - Application level attack
TSRC - Application level attack
Session Race Conditions and Session Puzzling

A few months ago Shay Chen, Senior Manager at Hacktics Advanced Security Center (HASC) published a paper about Session Puzzling, a new application level attack vector of critical severity and numerous uses, but for some bizarre reasons, most of the responses I got was that the attack was too complicated to comprehend all it once.

The project home page (presentation, whitepaper, training kit)
http://code.google.com/p/puzzlemall/

The following movies demonstrate a few simple TSRC attacks:

Exploiting Temporal Session Race Conditions via Connection Pool Consumption:
http://www.youtube.com/watch?v=woWECWwrsSk

Exploiting Temporal Session Race Conditions via RegEx DoS:
http://www.youtube.com/watch?v=3k_eJ1bcCro