CHCon 2023

A Race to Auth - How I stumbled onto a race condition
2023-11-25 , Ngaio Marsh Theatre

What happens when your web application uses the default sign in manager function that is subject to a race condition? Shall we attempt to brute force it? Why not? Whats the worse that could happen? An 8.1 CVSS! This talk will cover race condition I found in .NET’s default sign in manager. I will discuss how I found it, how I exploited it, and potential mitigation's to prevent it from being abused.

Jack Moran is a Security Consultant working for ZX Security in Wellington. His work involves breaking web applications, APIs, cracking them hashes, and pondering why we do things the way we do it. Beyond that, Jack is an avid gamer, home lab enthusiast, and Raspberry Pi hoarder!