Parsing Errors and Race Conditions - sgml/signature GitHub Wiki
Non-preemptive multitasking means that when two function calls have the same priority, one call needs to return a dynamic proxy that if accessed, blocks until the value returns
Shared nothing multitasking means that processes are isolated from one another, share no mutable state, and a failure in one process cannot affect another process in an unstructured way.
- https://github.com/TheHackerDev/race-the-web
- https://www.owasp.org/index.php/Reviewing_Code_for_Race_Conditions
- http://onsmalltalk.com/smalltalk-concurrency-playing-with-futures
- http://pillarhub.pharocloud.com/hub/Uko/concurrentProgrammingInPharo
- https://www.eiffel.org/doc/solutions/Concurrent%20programming%20with%20SCOOP
- https://www.w3.org/XML/Processing/
- http://www.devx.com/xml/Article/38037/0/page/2
- http://tests.xproc.org
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution
Methodology
Browser-Specific Parsing Race Conditions
Scenarios
-
URL Parsing: Different browsers may parse URLs differently, especially with special characters or unusual formats. This can lead to race conditions if an attacker crafts a URL that is interpreted differently by different browsers.
-
Request Timing: Variations in how browsers handle concurrent requests can create race windows, where the timing of requests leads to unexpected interactions with the server. This can be exploited for actions like double-spending in online stores or manipulating session tokens.
-
Content-Type Handling: Differences in how browsers handle various content types (e.g., JSON, XML) can lead to race conditions if the server expects a specific format and the browser sends something different.
-
Caching Mechanisms: Inconsistent caching behaviors across browsers can cause race conditions when stale or outdated data is served to the user.
-
Form Handling: Variations in how browsers handle form submissions, especially with asynchronous requests (AJAX), can lead to race conditions if the server processes requests out of order.
Issue Trackers
Chromium
- URL: Chromium Issue Tracker
- Issues:
- Issue 40265714: Sending invalid JSON from a native messaging host to an extension crashes the extension process. This issue involves a race condition when parsing the message as JSON.
- Issue 379656387: Race conditions in building for the first time when setting app container ACLs. This issue occurs due to non-atomic operations in setting ACLs.
WebKit Trac Project
- URL: WebKit Trac
- Issues:
- Issue 248631: Race condition in
Atomics.waitandAtomics.waitAsync. This issue involves a race condition when reading from the array and obtaining a lock on the list of waiters.
- Issue 248631: Race condition in
Mozilla Bugzilla Instance
- URL: Mozilla Bugzilla
- Issues:
- Issue 1548962: FOUC when loading stylesheets. This issue is related to delayed stylesheet application causing FOUC.
- Issue 1603064: Delayed CSS application causing FOUC in Firefox.
IE Edge GitHub Project
- URL: IE Edge GitHub
- Issues:
- Issue 527: FOUC with fixed positioning. This issue involves flickering and FOUC with fixed-position elements in IE and Edge.
- Issue 620: Button focus issues causing FOUC. This issue involves buttons flickering when focused in IE and Edge.
Parsers
URL Parser
URL ::= Scheme ":" [ "//" Authority ] [ "/" Path ] [ "?" Query ] [ "#" Fragment ]
Scheme ::= "http" | "https" | "ftp" | "file" | ...
Authority ::= [ Userinfo "@" ] Host [ ":" Port ]
Userinfo ::= User [ ":" Password ]
Host ::= hostname | IPv4address | IPv6address
Path ::= path-segment [ "/" path-segment ]...
Query ::= [ "?" query-part [ "&" query-part ]... ]
Fragment ::= "#" fragment
path-segment ::= *pchar
query-part ::= key "=" value
pchar ::= unreserved | pct-encoded | sub-delims | ":" | "@"
unreserved ::= ALPHA | DIGIT | "-" | "." | "_" | "~"
sub-delims ::= "!" | "$" | "&" | "'" | "(" | ")" | "*" | "+" | "," | ";" | "="
fragment ::= *pchar