ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic.

Last update: Aug 04, 2022

Related tags

Overview

ChronoRace

ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic. I've found in my research that well timed race conditions can allow for uncovering all kinds of interesting edge cases. An example use case is seen here, where I was able to get arbitrary email confirmation by hitting both the confirmation and email change endpoints a couple hundred milliseconds apart.

Usage

ChronoRace takes in raw requests and repeats them with a specified time delay. Create files with the raw requests you want to run as done in the http_requests/example/ folder. Then create a configuration which references the requests.

Sample configuration

{
  "proxy": "http://127.0.0.1:8080",
  "verify_ssl": false,
  "requests": [
    {
      "file": "http_requests/example/get.txt",
      "delay": 0,
      "replacements": []
    },
    {
      "file": "http_requests/example/post.txt",
      "delay": 500,
      "replacements": [
        ["[REPLACE]", "bar"]
      ]
    }
  ]
}

Config Parameter	Type	Description	Required	Default
requests	array	Array of requests to make.	Yes
requests[x].file	string	Path to file containing the raw http request.	Yes
requests[x].delay	integer	Delay in milliseconds since start.	No	`0`
requests[x].replacements	array	Replacements to perform in the request. `[["replace1", "with1"], ["replace2", "with2"]]`.	No	`[]`
requests[x].secure	boolean	Make request using the `https` protocol.	No	`true`
proxy	string	Proxy URL. It's recommended to send through Burp to track the requests.	No	`null`
verify_ssl	boolean	Skip certificate validation.	No	`true`
threads	integer	Maximum number of simultaneous requests. Less threads than requests will delay them.	No	`100`
print_response	boolean	Print the entire response in the console.	No	`false`

Running

pip install -r requirements.txt
python chronorace.py race -c config.json

ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic.

Related tags

Overview

ChronoRace

Usage

Owner

Tanner

Izy - Python functions and classes that make python even easier than it is

Lightweight and Modern kernel for VK Bots

Hydralit package is a wrapping and template project to combine multiple independant Streamlit applications into a multi-page application.

A program to generate random numbers b/w 0 to 10 using time

An Advent calendar of small programming puzzles for a variety of skill sets and skill levels.

Werkzeug has a debug console that requires a pin. It's possible to bypass this with an LFI vulnerability or use it as a local privilege escalation vector.

Python library for creating and parsing HSReplay XML files

The Official Jaseci Code Repository

addons to the turtle package that help you drew stuff more quickly

Быстрый локальный старт

Test for using pyIIIFpres for rara magnetica project

An assistant to guess your pip dependencies from your code, without using a requirements file.

HatAsm - a HatSploit native powerful assembler and disassembler that provides support for all common architectures

List of all D&D 5e monsters: WotC + popular third-party sourcebooks

A simple countdown timer in eazy code to show timer with python

A python program for rick rolling people.

TinyBar - Tiny MacOS menu bar utility to track price dynamics for assets on TinyMan.org

Library for mocking AsyncIOMotorClient built on top of mongomock.

firefox session recovery

Thumbor-bootcamp - learning and contribution experience with ❤️ and 🤗 from the thumbor team