For too long, web race-condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples. In this session, I'll introduce multiple new classes of race condition that go far beyond the limit-overrun exploits you're probably already familiar with.
Inside every website lurks a state machine: a delicately balanced system of states and transitions that each user, session, and object can flow through. I'll show how to fire salvos of conflicting inputs to make state machines collapse, enabling you to forge trusted data, misroute tokens, and mask backdoors. These exploits will be demonstrated across multiple high-profile websites, and a certain popular authentication framework....
By: James Kettle
Full Abstract and Presentation Materials: www.blackhat.com/us-23/briefi...