TSRC - Application level attack
Am Tuesday, 20. Sep 2011 im Topic 'Vulnerabilities'
TSRC - Application level attack
Session Race Conditions and Session Puzzling
A few months ago Shay Chen, Senior Manager at Hacktics Advanced Security Center (HASC) published a paper about Session Puzzling, a new application level attack vector of critical severity and numerous uses, but for some bizarre reasons, most of the responses I got was that the attack was too complicated to comprehend all it once.
The project home page (presentation, whitepaper, training kit)
http://code.google.com/p/puzzlemall/
The following movies demonstrate a few simple TSRC attacks:
Exploiting Temporal Session Race Conditions via Connection Pool Consumption:
http://www.youtube.com/watch?v=woWECWwrsSk
Exploiting Temporal Session Race Conditions via RegEx DoS:
http://www.youtube.com/watch?v=3k_eJ1bcCro
Session Race Conditions and Session Puzzling
A few months ago Shay Chen, Senior Manager at Hacktics Advanced Security Center (HASC) published a paper about Session Puzzling, a new application level attack vector of critical severity and numerous uses, but for some bizarre reasons, most of the responses I got was that the attack was too complicated to comprehend all it once.
The project home page (presentation, whitepaper, training kit)
http://code.google.com/p/puzzlemall/
The following movies demonstrate a few simple TSRC attacks:
Exploiting Temporal Session Race Conditions via Connection Pool Consumption:
http://www.youtube.com/watch?v=woWECWwrsSk
Exploiting Temporal Session Race Conditions via RegEx DoS:
http://www.youtube.com/watch?v=3k_eJ1bcCro