ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic.

Last update: Aug 04, 2022

Related tags

Overview

ChronoRace

ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic. I've found in my research that well timed race conditions can allow for uncovering all kinds of interesting edge cases. An example use case is seen here, where I was able to get arbitrary email confirmation by hitting both the confirmation and email change endpoints a couple hundred milliseconds apart.

Usage

ChronoRace takes in raw requests and repeats them with a specified time delay. Create files with the raw requests you want to run as done in the http_requests/example/ folder. Then create a configuration which references the requests.

Sample configuration

{
  "proxy": "http://127.0.0.1:8080",
  "verify_ssl": false,
  "requests": [
    {
      "file": "http_requests/example/get.txt",
      "delay": 0,
      "replacements": []
    },
    {
      "file": "http_requests/example/post.txt",
      "delay": 500,
      "replacements": [
        ["[REPLACE]", "bar"]
      ]
    }
  ]
}

Config Parameter	Type	Description	Required	Default
requests	array	Array of requests to make.	Yes
requests[x].file	string	Path to file containing the raw http request.	Yes
requests[x].delay	integer	Delay in milliseconds since start.	No	`0`
requests[x].replacements	array	Replacements to perform in the request. `[["replace1", "with1"], ["replace2", "with2"]]`.	No	`[]`
requests[x].secure	boolean	Make request using the `https` protocol.	No	`true`
proxy	string	Proxy URL. It's recommended to send through Burp to track the requests.	No	`null`
verify_ssl	boolean	Skip certificate validation.	No	`true`
threads	integer	Maximum number of simultaneous requests. Less threads than requests will delay them.	No	`100`
print_response	boolean	Print the entire response in the console.	No	`false`

Running

pip install -r requirements.txt
python chronorace.py race -c config.json

ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic.

Related tags

Overview

ChronoRace

Usage

Owner

Tanner

The most hackable keyboard in all the land

Process GPX files (adding sensor metrics, uploading to InfluxDB, etc.) exported from imxingzhe.com

Python script to preprocess images of all Pokémon to finetune ruDALL-E

GA SEI Unit 4 project backend for Bloom.

A set of scripts for a two-step procedure to measure the value of access to destinations across several modes of travel within a geographic area.

Projeto-menu - This project is designed to learn more about control mechanisms in Python programming

Your one and only Discord Bot that helps you concentrate!

Tips that improve your life in one way or another

Android Blobs Organizer

Gaia: a chrome extension that curates environmental news of a company

An open source server for Super Mario Bros. 35

This is a fork of the BakeTool with some improvements that I did to have better workflow.

Simple dotfile pre-processor with a per-file configuration

BestBuy Script Designed to purchase any item when it becomes available.

Aerospace utilities: flight conditions package, standard atmosphere model, and more.

My qtile config with a fresh-looking bar and pywal support

ioztat is a storage load analysis tool for OpenZFS

A Python script to delete movies with a certain tag after a certain amount of days.

The earliest beta version of pytgcalls on Linux x86_64 and ARM64! Use in production at your own risk!

Use Fofa、shodan、zoomeye、360quake to collect information(e.g:domain,IP,CMS,OS)同时调用Fofa、shodan、zoomeye、360quake四个网络空间测绘API完成红队信息收集