ORDER OF OPERATIONS
CONTEXT
APIs can appear to be a static set of getters and setters, but once they are built into other
applications, the combinations and permutations can drive unexpected behavior on the
enterprise back end.
VULNERABILITIES IDENTIFICATION & TRACKING
Old-school security folks may call this one
Madame TOCTOU for time-of-check, time-of-
use vulnerability or race conditions
Race conditions are notoriously difficult to
identify. Manual synthetic testing under load
is one of the better options here.
COUNTERMEASURE(S)
Granular control on the server side for full-session state management is the main countermeasure.
ASSURANCE
TOCTOU vulnerabilities are among the hardest kind to detect because they require dynamic
testing at loads to appear.
10
|
The Curious Case of Order of Operations
