Lesson Plan Title: How to Exploit Thread Safety Problems

 

Concept / Topic To Teach:

Web applications can handle many HTTP requests simultaneously. Developers often use variables that are not thread safe.  Thread safety means that the fields of an object or class always maintain a valid state when used concurrently by multiple threads. It is often possible to exploit a concurrency bug by loading the same page as another user at the exact same time.
Because all threads share the same method area, and the method area is where all class variables are stored, multiple threads can attempt to use the same class variables concurrently.

 

General Goal(s):

The user should be able to exploit the concurrency error in the web application and view login information for another user that is attempting the same function at the same time.

 

This will require the use of two browser windows.

 

Figure 1 Lesson 2

 

Solution:

 

Open a new browser window by pressing CTRL-N. Position the window so that you see both input fields. Enter user name “dave” in the left window and user name “jeff” in the right window.

Click very fast on the submit button in the right window and then in the left window.

 

Figure 2 2 Browser Windows

 

The result should be that you receive the same data in both windows, even when using a different user name!

Figure 3 Lesson 2 Completed

 

The root-cause of this exploit is that the Java code uses a static variable for the user name. When submitting twice, the same thread and hence the same static variable containing the username of the first request will be used.

This is obvious when examining the Java code:

 

private static String currentUser;