ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic.

Last update: Aug 04, 2022

Related tags

Overview

ChronoRace

ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic. I've found in my research that well timed race conditions can allow for uncovering all kinds of interesting edge cases. An example use case is seen here, where I was able to get arbitrary email confirmation by hitting both the confirmation and email change endpoints a couple hundred milliseconds apart.

Usage

ChronoRace takes in raw requests and repeats them with a specified time delay. Create files with the raw requests you want to run as done in the http_requests/example/ folder. Then create a configuration which references the requests.

Sample configuration

{
  "proxy": "http://127.0.0.1:8080",
  "verify_ssl": false,
  "requests": [
    {
      "file": "http_requests/example/get.txt",
      "delay": 0,
      "replacements": []
    },
    {
      "file": "http_requests/example/post.txt",
      "delay": 500,
      "replacements": [
        ["[REPLACE]", "bar"]
      ]
    }
  ]
}

Config Parameter	Type	Description	Required	Default
requests	array	Array of requests to make.	Yes
requests[x].file	string	Path to file containing the raw http request.	Yes
requests[x].delay	integer	Delay in milliseconds since start.	No	`0`
requests[x].replacements	array	Replacements to perform in the request. `[["replace1", "with1"], ["replace2", "with2"]]`.	No	`[]`
requests[x].secure	boolean	Make request using the `https` protocol.	No	`true`
proxy	string	Proxy URL. It's recommended to send through Burp to track the requests.	No	`null`
verify_ssl	boolean	Skip certificate validation.	No	`true`
threads	integer	Maximum number of simultaneous requests. Less threads than requests will delay them.	No	`100`
print_response	boolean	Print the entire response in the console.	No	`false`

Running

pip install -r requirements.txt
python chronorace.py race -c config.json

ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic.

Related tags

Overview

ChronoRace

Usage

Owner

Tanner

x-tools is a collection of tools developed in Python

Consolemenu on python with pynput

Structured, dependable legos for starknet development.

CuraMultiplyByGrid - Cura Плагин для размножения детали сеткой на весь стол автоматически без поворота

Python script to preprocess images of all Pokémon to finetune ruDALL-E

NExT-Ford-aula4 - NExT Ford aula4

The Open edX platform, the software that powers edX!

A plugin for poetry that allows you to execute scripts defined in your pyproject.toml, just like you can in npm or pipenv

Utility/Raiding selfbot made by Shell and Roover.

A python trivium implemention

It converts ING BANK account historic into a csv file you can import in HomeBank application.

Tutorials for on-ramping to StarkNet

Neogex is a human readable parser standard, being implemented in Python

Cross-platform config and manager for click console utilities.

WordPress-style shortcodes for Python

A curses based mpd client with basic functionality and album art.

Msgpack serialization/deserialization library for Python, written in Rust using PyO3 and rust-msgpack. Reboot of orjson. msgpack.org[Python]

IPython: Productive Interactive Computing

Compress .dds file in ggpk to boost fps. This is a python rewrite of PoeTexureResizer.

A Web app to Cross-Seed torrents in Deluge/qBittorrent/Transmission