ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic.

Last update: Aug 04, 2022

Related tags

Overview

ChronoRace

ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic. I've found in my research that well timed race conditions can allow for uncovering all kinds of interesting edge cases. An example use case is seen here, where I was able to get arbitrary email confirmation by hitting both the confirmation and email change endpoints a couple hundred milliseconds apart.

Usage

ChronoRace takes in raw requests and repeats them with a specified time delay. Create files with the raw requests you want to run as done in the http_requests/example/ folder. Then create a configuration which references the requests.

Sample configuration

{
  "proxy": "http://127.0.0.1:8080",
  "verify_ssl": false,
  "requests": [
    {
      "file": "http_requests/example/get.txt",
      "delay": 0,
      "replacements": []
    },
    {
      "file": "http_requests/example/post.txt",
      "delay": 500,
      "replacements": [
        ["[REPLACE]", "bar"]
      ]
    }
  ]
}

Config Parameter	Type	Description	Required	Default
requests	array	Array of requests to make.	Yes
requests[x].file	string	Path to file containing the raw http request.	Yes
requests[x].delay	integer	Delay in milliseconds since start.	No	`0`
requests[x].replacements	array	Replacements to perform in the request. `[["replace1", "with1"], ["replace2", "with2"]]`.	No	`[]`
requests[x].secure	boolean	Make request using the `https` protocol.	No	`true`
proxy	string	Proxy URL. It's recommended to send through Burp to track the requests.	No	`null`
verify_ssl	boolean	Skip certificate validation.	No	`true`
threads	integer	Maximum number of simultaneous requests. Less threads than requests will delay them.	No	`100`
print_response	boolean	Print the entire response in the console.	No	`false`

Running

pip install -r requirements.txt
python chronorace.py race -c config.json

ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic.

Related tags

Overview

ChronoRace

Usage

Owner

Tanner

[Cython] Vs [Python] Which one is Faster ?

A Blender addon to align the origin to the top, center or bottom of a mesh object

Project of the MSEC_LDD . group

A python package to adjust the bias of probabilistic forecasts/hindcasts using "Mean and Variance Adjustment" method.

Capture screen and download off Roku based devices

Better Giveaways is a bot that will change the experience of using a giveaway bot forever.

Gobigger Explore For Python

Control your gtps with gtps-tools!

This module extends twarc to allow you to print out tweets as text for easy testing on the command line

Anonfiles files leaker via keyword.

Urban Big Data Centre Housing Sensor Project

Tethered downgrade 64-bit iDevices vulnerable to checkm8

Powering up Apache JMeter with Streamlit and opening the door for machine learning.

A tool converting rpk (记乎) to apkg (Anki Package)

Pyjiting is a experimental Python-JIT compiler, which is the product of my undergraduate thesis

Demo of using DataLoader to prevent out of memory

To effectively detect the faulty wafers

Automation of VASP DFT workflows with ASE - application scripts

Binjago - Set of tools aiding in analysis of stripped Golang binaries with Binary Ninja

Print 'text color' and 'text format' on Term with Python