Race against time: investigating the factors that influence web race condition exploits

Race conditions (RC) pose a critical security threat to web applications by exploiting the non-deterministic behavior of multithreaded request handling. This can lead to unpredictable outcomes such as data corruption, Time of Check to Time of Use (TOCTOU) vulnerabilities, and deadlocks. While previous research has identified poor design practices that contribute to RC vulnerabilities, no existing studies have explored the factors that influence the severity or impact of race conditions. This paper introduces a comprehensive methodology for testing and quantifying how different variables affect the exploitability of race conditions in vulnerable web servers, providing a framework for future research to investigate this issue more thoroughly. In addition, we present an experimental evaluation of our methodology under various conditions. Specifically, we examine six RC exploitation tools using four different attack techniques across both HTTP/1.1 and HTTP/2 protocols. To provide a complete overview of race conditions across all HTTP versions, we also introduce the first race condition attack tool for HTTP/3, named QUICker. Furthermore, we assess how the choice of database management systems and programming languages used in web application deployment can affect susceptibility to race condition attacks. This study offers key insights into how these factors influence the exploitability of RC vulnerabilities.