ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic.

Related tags

Miscellaneouschronorace
Overview

ChronoRace

ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic. I've found in my research that well timed race conditions can allow for uncovering all kinds of interesting edge cases. An example use case is seen here, where I was able to get arbitrary email confirmation by hitting both the confirmation and email change endpoints a couple hundred milliseconds apart.

Usage

ChronoRace takes in raw requests and repeats them with a specified time delay. Create files with the raw requests you want to run as done in the http_requests/example/ folder. Then create a configuration which references the requests.

Sample configuration

{
  "proxy": "http://127.0.0.1:8080",
  "verify_ssl": false,
  "requests": [
    {
      "file": "http_requests/example/get.txt",
      "delay": 0,
      "replacements": []
    },
    {
      "file": "http_requests/example/post.txt",
      "delay": 500,
      "replacements": [
        ["[REPLACE]", "bar"]
      ]
    }
  ]
}
Config Parameter Type Description Required Default
requests array Array of requests to make. Yes
requests[x].file string Path to file containing the raw http request. Yes
requests[x].delay integer Delay in milliseconds since start. No 0
requests[x].replacements array Replacements to perform in the request. [["replace1", "with1"], ["replace2", "with2"]]. No []
requests[x].secure boolean Make request using the https protocol. No true
proxy string Proxy URL. It's recommended to send through Burp to track the requests. No null
verify_ssl boolean Skip certificate validation. No true
threads integer Maximum number of simultaneous requests. Less threads than requests will delay them. No 100
print_response boolean Print the entire response in the console. No false

Running

pip install -r requirements.txt
python chronorace.py race -c config.json
Owner
Tanner
Tanner
GitHub Repository
Semester long, web application project for CSCI 4370/6370 (Database Management)

Database_Project Prototype ideas for website: Computer Science library (Sells books, products, etc.) Code editor Graph visualizer / creator (can save

Jordan Harman 4 Feb 17, 2022
A Python Perforce package that doesn't bring in any other packages to work.

P4CMD 🌴 A Python Perforce package that doesn't bring in any other packages to work. Relies on p4cli installed on the system. p4cmd The p4cmd module h

Niels Vaes 13 Dec 19, 2022
ICEtool - ICEtool plugin for QGIS

ICEtool ICEtool is an all in one QGIS plugin to easily compute ground temperatur

Arthur Evrard 13 Dec 16, 2022
Blender 2.80+ Timelapse Capture Tool Addon

SimpleTimelapser Blender 2.80+ Timelapse Capture Tool Addon Developed for Blender 3.0.0, tested working on 2.80.0 It's no ZBrush undo history but it's

4 Jan 19, 2022
ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

Checkmarx 36 Nov 02, 2022
Simple web application, which has a single endpoint, dedicated to annotation parsing and convertion.

Simple web application, which has a single endpoint, dedicated to annotation parsing and conversion.

Pavel Paranin 1 Nov 01, 2021
Multtable is a collection of multiplication table generators in various languages.

Multtable Multtable is a collection of multiplication table generators in various languages. This project was created as a joke based on one of my bro

pollen__ 7 Mar 05, 2022
Roblox Limited Sniper For Python

Info this is version 2.1 version 3 will support more options (install python: https://www.python.org) the program will buy any limited item with a pri

1 Dec 09, 2021
A basic layout of atm working of my local database

Software for working Banking service 😄 This project was developed for Banking service. mysql server is required To have mysql server on your system u

satya 1 Oct 21, 2021
Lookup for interesting stuff in SMB shares

SMBSR - what is that? Well, SMBSR is a python script which given a CIDR/IP/IP_file/HOSTNAME(s) enumerates all the SMB services listening (445) among t

Vincenzo 112 Dec 15, 2022
Implementation of the Angular Spectrum method in Python to simulate Diffraction Patterns

Diffraction Simulations - Angular Spectrum Method Implementation of the Angular Spectrum method in Python to simulate Diffraction Patterns with arbitr

Rafael de la Fuente 276 Dec 30, 2022
A simple solution for water overflow problem in Python

Water Overflow problem There is a stack of water glasses in a form of triangle as illustrated. Each glass has a 250ml capacity. When a liquid is poure

Kris 2 Oct 22, 2021
Runtime profiler for Streamlit, powered by pyinstrument

streamlit-profiler 🏄🏼 Runtime profiler for Streamlit, powered by pyinstrument. streamlit-profiler is a Streamlit component that helps you find out w

Johannes Rieke 23 Nov 30, 2022
rebalance is a simple Python 3.9+ library for rebalancing investment portfolios

rebalance rebalance is a simple Python 3.9+ library for rebalancing investment portfolios. It supports cash flow rebalancing with contributions and wi

Darik Harter 5 Feb 26, 2022
This Python library searches through a static directory and appends artist, title, track number, album title, duration, and genre to a .json object

This Python library searches through a static directory (needs to match your environment) and appends artist, title, track number, album title, duration, and genre to a .json object. This .json objec

Edan Ybarra 1 Jun 20, 2022
Anki Cards for the HSK vocabulary Chinese-German

Anki-HanyuShuipingKaoshi Anki Cards for the HSK vocabulary Chinese-German Das Deck baut auf folgenden Quellen auf: China Endecken Wortschatz von wohok

1 Jan 07, 2022
Empresas do Brasil (CNPJs)

Biblioteca em Python que coleta informações cadastrais de empresas do Brasil (CNPJ) obtidas de fontes oficiais (Receita Federal) e exporta para um formato legível por humanos (CSV ou JSON).

BR-API: Democratizando dados do Brasil. 8 Aug 17, 2022
Listen Surah, prepare for next and Endless life...

Al-Quran In this repository, I have linked up all Surah with Arabic-Bangla Audio From Youtube. So, you just need to choose and listen. and the ( surah

SpiderX 1 Sep 30, 2022
Python script for changing the SSH banner content with other content

Banner-changer-py Python script for changing the SSH banner content with other content. The Script will take the content of a specified file range and

2 Nov 23, 2021
Here, I have discuss the three methods of list reversion. The three methods are built-in method, slicing method and position changing method.

Three-different-method-for-list-reversion Here, I have discuss the three methods of list reversion. The three methods are built-in method, slicing met

Sachin Vinayak Dabhade 4 Sep 24, 2021