MCPcopy Index your code
hub / github.com/TheHackerDev/race-the-web

github.com/TheHackerDev/race-the-web @2.0.1

Chat with this repo
repository ↗ · DeepWiki ↗ · release 2.0.1 ↗ · + Follow
22 symbols 52 edges 5 files 22 documented · 100% updated 4y ago2.0.1 · 2017-10-03★ 6334 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Go Report Card Build Status

Race The Web (RTW)

Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) simultaneously, and then compares the responses from the server for uniqueness. Includes a number of configuration options.

UPDATE: Now CI Compatible!

Version 2.0.0 now makes it easier than ever to integrate RTW into your continuous integration pipeline (à la Jenkins, Travis, or Drone), through the use of an easy to use HTTP API. More information can be found in the Usage section below.

Watch The Talk

Racing the Web - Hackfest 2016

Racing the Web - Hackfest 2016

Usage

With configuration file

$ race-the-web config.toml

API

$ race-the-web

Configuration File

Example configuration file included (config.toml):

# Sample Configurations

# Send 100 requests to each target
count = 100
# Enable verbose logging
verbose = true
# Use an http proxy for all connections
proxy = "http://127.0.0.1:8080"

# Specify the first request
[[requests]]
    # Use the GET request method
    method = "GET"
    # Set the URL target. Any valid URL is accepted, including ports, https, and parameters.
    url = "https://example.com/pay?val=1000"
    # Set the request body.
    # body = "body=text"
    # Set the cookie values to send with the request to this target. Must be an array.
    cookies = ["PHPSESSIONID=12345","JSESSIONID=67890"]
    # Set custom headers to send with the request to this target. Must be an array.
    headers = ["X-Originating-IP: 127.0.0.1", "X-Remote-IP: 127.0.0.1"]
    # Follow redirects
    redirects = true

# Specify the second request
[[requests]]
    # Use the POST request method
    method = "POST"
    # Set the URL target. Any valid URL is accepted, including ports, https, and parameters.
    url = "https://example.com/pay"
    # Set the request body.
    body = "val=1000"
    # Set the cookie values to send with the request to this target. Must be an array.
    cookies = ["PHPSESSIONID=ABCDE","JSESSIONID=FGHIJ"]
    # Set custom headers to send with the request to this target. Must be an array.
    headers = ["X-Originating-IP: 127.0.0.1", "X-Remote-IP: 127.0.0.1"]
    # Do not follow redirects
    redirects = false

TOML Spec: https://github.com/toml-lang/toml

API

Since version 2.0.0, RTW now has a full-featured API, which allows you to easily integrate it into your continuous integration (CI) tool of choice. This means that you can quickly and easily test your web application for race conditions automatically whenever you commit your code.

The API works through a simple set of HTTP calls. You provide input in the form of JSON and receive a response in JSON. The 3 API endpoints are as follows:

  • POST http://127.0.0.1:8000/set/config: Provide configuration data (in JSON format) for the race condition test you want to run (examples below).
  • GET http://127.0.0.1:8000/get/config: Fetch the current configuration data. Data is returned in a JSON response.
  • POST http://127.0.0.1:8000/start: Begin the race condition test using the configuration that you have already provided. All findings are returned back in JSON output.

Example JSON configuration (sent to /set/config using a POST request)

{
    "count": 100,
    "verbose": false,
    "requests": [
        {
            "method": "POST",
            "url": "http://racetheweb.io/bank/withdraw",
            "cookies": [
                "sessionId=dutwJx8kyyfXkt9tZbboT150TjZoFuEZGRy8Mtfpfe7g7UTPybCZX6lgdRkeOjQA"
            ],
            "body": "amount=1",
            "redirects": true
        }
    ]
}

Example workflow using curl

Note that this example uses the accompanying website for testing race condition vulnerabilities in web applications, found at RaceTheWeb.io

  1. Send the configuration data
$ curl -d '{"count":100,"verbose":false,"requests":[{"method":"POST","url":"http://racetheweb.io/bank/withdraw","cookies":["sessionId=Ay2jnxL2TvMnBD2ZF-5bXTXFEldIIBCpcS4FLB-5xjEbDaVnLbf0pPME8DIuNa7-"],"body":"amount=1","redirects":true}]}' -H "Content-Type: application/json" -X POST http://127.0.0.1:8000/set/config

{"message":"configuration saved"}
  1. Retrieve the configuration data for validation
$ curl -X GET http://127.0.0.1:8000/get/config

{"count":100,"verbose":false,"proxy":"","requests":[{"method":"POST","url":"http://racetheweb.io/bank/withdraw","body":"amount=1","cookies":["sessionId=Ay2jnxL2TvMnBD2ZF-5bXTXFEldIIBCpcS4FLB-5xjEbDaVnLbf0pPME8DIuNa7-"],"headers":null,"redirects":true}]}
  1. Start the race condition test
$ curl -X POST http://127.0.0.1:8000/start

Response (expanded for visibility):

```JSON [ { "Response": { "Body": "\n<!DOCTYPE html>\n\n \n \n \n \n \n Bank Test\n\n \n \n\n \n \n \n\n \n \n \n \n \n \n \n \n \n

\n\n

\n

\n

\n

Welcome to SpeedBank, International

\n

\n

\n \n

\n

\n

You have successfully withdrawn $1

\n

\n

\n \n \n

\n

Balance: 9999

\n

\n

\n

\n

\n

\n Amount (in dollars)\n

\n

$

\n \n

.00

\n

\n

\n \n

\n

\n

\n

\n

\n \n

\n

\n

Instructions

\n
    \n
  1. Click “Initialize” to initialize a bank account with $10,000.
  2. \n
  3. Withdraw money from your account, observe that your account balance is updated, and that you have received the amount requested.
  4. \n
  5. Repeat the request with race-the-web. Your config file should look like the following:
  6. \n
    \n# Make one request\ncount = 100\nverbose = true\n[[requests]]\n    method = \"POST\"\n    url = \"http://racetheweb.io/bank/withdraw\"\n    # Withdraw 1 dollar\n    body = \"amount=1\"\n    # Insert your sessionId cookie below.\n    cookies = [“sessionId=<insert here>\"]\n    redirects = false\n
    \n
  7. Visit the bank page again in your browser to view your updated balance. Note that the total should be $100 less ($1 * 100 requests) than when you originally withdrew money. However, due to a race condition flaw in the application, your balance will be much more, yet you will have received the money from the bank in every withdrawal.
  8. \n
\n

\n

\n

\n \n \n \n\n

\n Aaron Hnatiw 2017\n

\n \n \n \n \n \n \n \n\n", "StatusCode": 200, "Length": -1, "Protocol": "HTTP/1.1", "Headers": { "Content-Type": [ "text/html; charset=utf-8" ], "Date": [ "Fri, 18 Aug 2017 15:36:29 GMT" ] }, "Location": "" }, "Targets": [ { "method": "POST", "url": "http://racetheweb.io/bank/withdraw", "body": "amount=1", "cookies": [ "sessionId=Ay2jnxL2TvMnBD2ZF-5bXTXFEldIIBCpcS4FLB-5xjEbDaVnLbf0pPME8DIuNa7-" ], "headers": null, "redirects": true } ], "Count": 1 }, { "Response": { "Body": "\n<!DOCTYPE html>\n\n \n \n \n \n \n Bank Test\n\n \n \n\n \n \n \n\n \n \n \n \n \n \n \n \n \n

\n\n

\n

\n

\n

Welcome to SpeedBank, International

\n

\n

\n \n

\n

\n

You have successfully withdrawn $1

\n

\n

\n \n \n

\n

Balance: 9998

\n

\n

\n

\n

Core symbols most depended-on inside this repo

Error
called by 10
racer.go
SetDefaults
called by 2
helpers.go
StartRace
called by 2
racer.go
outputResponses
called by 2
cmd.go
ReadResponseBody
called by 1
helpers.go
StartAPI
called by 1
apiServ.go
sendRequests
called by 1
racer.go
compareResponses
called by 1
racer.go

Shape

Function 15
Struct 6
Method 1

Languages

Go100%

Modules by API surface

racer.go12 symbols
apiServ.go4 symbols
cmd.go3 symbols
helpers.go2 symbols
main.go1 symbols

For agents

$ claude mcp add race-the-web \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page