Talks

Smashing the State Machine: The True Potential of Web Race Conditions

Researcher: James Kettle

Conferences

For too long, web race-condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples. In this session, I'll introduce multiple new classes of race condition that go far beyond the limit-overrun exploits you're probably already familiar with.

Inside every website lurks a state machine: a delicately balanced system of states and transitions that each user, session, and object can flow through. I'll show how to fire salvos of conflicting inputs to make state machines collapse, enabling you to forge trusted data, misroute tokens, and mask backdoors. These exploits will be demonstrated across multiple high-profile websites, and a certain popular authentication framework.

These techniques unveil so much fresh attack-surface, it can be hard to know where to focus your testing. To help, I'll share a polished methodology for efficiently pursuing leads, automating complex attacks, and quickly ruling out dead ends. You'll learn to recognize high-risk patterns and eke out subtle tell-tale clues to scent blood long before sacrificing anything to the RNG gods.

To defeat jitter and make these attacks reproducible, I've taken lore amassed over years of research into HTTP Desync Attacks and applied it to develop precision tooling. You'll learn how to adapt your attacks to different HTTP versions and target architectures, abusing protocol-level design decisions and obscure implementation quirks in popular servers. This includes a strategy that can squeeze 30 requests sent from Melbourne to Dublin into a sub-1ms execution window. Alongside the open source tool, we'll also release a full complement of free online labs to the Web Security Academy, so you can try out your new skillset immediately.