ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic.

Last update: Aug 04, 2022

Related tags

Overview

ChronoRace

ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic. I've found in my research that well timed race conditions can allow for uncovering all kinds of interesting edge cases. An example use case is seen here, where I was able to get arbitrary email confirmation by hitting both the confirmation and email change endpoints a couple hundred milliseconds apart.

Usage

ChronoRace takes in raw requests and repeats them with a specified time delay. Create files with the raw requests you want to run as done in the http_requests/example/ folder. Then create a configuration which references the requests.

Sample configuration

{
  "proxy": "http://127.0.0.1:8080",
  "verify_ssl": false,
  "requests": [
    {
      "file": "http_requests/example/get.txt",
      "delay": 0,
      "replacements": []
    },
    {
      "file": "http_requests/example/post.txt",
      "delay": 500,
      "replacements": [
        ["[REPLACE]", "bar"]
      ]
    }
  ]
}

Config Parameter	Type	Description	Required	Default
requests	array	Array of requests to make.	Yes
requests[x].file	string	Path to file containing the raw http request.	Yes
requests[x].delay	integer	Delay in milliseconds since start.	No	`0`
requests[x].replacements	array	Replacements to perform in the request. `[["replace1", "with1"], ["replace2", "with2"]]`.	No	`[]`
requests[x].secure	boolean	Make request using the `https` protocol.	No	`true`
proxy	string	Proxy URL. It's recommended to send through Burp to track the requests.	No	`null`
verify_ssl	boolean	Skip certificate validation.	No	`true`
threads	integer	Maximum number of simultaneous requests. Less threads than requests will delay them.	No	`100`
print_response	boolean	Print the entire response in the console.	No	`false`

Running

pip install -r requirements.txt
python chronorace.py race -c config.json

ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic.

Related tags

Overview

ChronoRace

Usage

Owner

Tanner

Python Excuse Generator

This Python script can enumerate all URLs present in robots.txt files, and test whether they can be accessed or not.

Watcher for systemdrun user scopes

Free version of Okuru selfbot, okuru.xyz

The learning agent learns firstly approaching to the football and then kicking the football to the target position

Python solution of advent-of-code 2021

Online-update est un programme python permettant de mettre a jour des dossier et de fichier depuis une adresse web.

Module 2's katas from Launch X's python introduction course.

Packaging tools for shanty services.

Vehicle Identification Speed Detection (VISD) extracts vehicle information like License Plate number, Manufacturer and colour from a video and provides this data in the form of a CSV file

Spyware baseado em Python para Windows que registra como atividades da janela em primeiro plano, entradas do teclado.

This is the course repository for the Spring 2022 iteration of MACS 30123 "Large-Scale Computing for the Social Sciences" at the University of Chicago.

peace-performance (Rust) binding for python. To calculate star ratings and performance points for all osu! gamemodes

Snack Rice - A Rice University servery finder, customized for your needs!

IEEE ITU bunyesinde komitelere verilen Python3 egitiminin dokumanlastirilmis versiyonlari bu repository altinda tutulmaktadir.

Service for working with open data of the State Duma of the Russian Federation

Open-source library for analyzing the results produced by ABINIT

Graphsignal Logger

A small scale relica of bank management system using the MySQL queries in the python language.

Datargsing is a data management and manipulation Python library