About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

You Can’t Always Win Racing the (Key)cloak- 1447

Maor Abutbul - CyberArkPosted 1 Year Ago
  • Keycloak is an open source IAM solution with user management and SSO. They decided to tackle some race conditions within the system relating to user management.
  • From reading the James Kettle post on race conditions, the authors were curious about race conditions in the registration process of users. While reading the source code, they noticed that the requirement for the email verification was added in a later step after creating the user. So, their thought was making a login request AFTER the user was created but BEFORE the restriction was added.
  • While digging into this, they noticed that the ORM used in the program used database transactions. This means that the database writes are grouped together, making the race condition impossible to hit. Regardless, it was interesting seeing their methodology for finding these multi-step types of bugs.
  • They found a classic limit overrun race condition within the rate limiting for API key creation but no multi-step issues.
  • I felt like the post overhyped some of the issues tbh. But, I enjoyed the race condition discussions on it.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed