Make critical logic flows thread safe
Summary
Critical and high-value business logic flows must be thread safe and resistant to time-of-check and time-of-use (TOCTOU) race conditions.
Description
A race condition occurs when a code sequence requires exclusive access to a resource but another code sequence can modify the same resource before the first one has released it. This can have security implications if it occurs during high-value business logic flows, such as authentication, authorization and session management. Therefore, threads and concurrent processes must be managed carefully in order to prevent race conditions from arising.
References
- CAPEC-25. Forced deadlock
- CAPEC-26. Leveraging race conditions
- CAPEC-27. Leveraging race conditions via symbolic links
- CAPEC-29. Leveraging time-of-check and time-of-use (TOCTOU) race conditions
- CAPEC-30. Hijacking a privileged thread of execution
- CAPEC-124. Shared resource manipulation
- CAPEC-233. Privilege escalation
- CWE-362. Concurrent execution using shared resource with improper synchronization ("race condition")
- CWE-367. Time-of-check time-of-use (TOCTOU) race condition
- AGILE-9. Continuous attention to technical excellence and good design
- CERTC-CON38-C. Preserve thread safety and liveness when using condition variables
- CERTJ-TSM00-J. Do not override thread-safe methods with methods that are not thread-safe
- MITRE-M1013. Application developer guidance
- MITRE-M1025. Privileged process integrity
- WASC-W_40. Insufficient process validation
- OWASPSCP-14. General coding practices
- CWE25-362. Concurrent execution using shared resource with improper synchronization (Race condition)
- ASVS-11_1_1. Business logic security
- SIG-L_2_1. Compliance
- SANS25-21. Concurrent execution using shared resource with improper synchronization (Race condition)
- CASA-1_11_3. Communications Architecture
- NIST-ID_AM-03. Representations of the organization’s authorized network communication and internal and external network data flows are maintained
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.