Smashing the state machine: the true potential of web race conditions
https://portswigger.net/research/smashing-the-state-machine [portswigger.net]
2023-08-10 16:24
HTTP request processing isn’t atomic - any endpoint might be sending an application through invisible sub-states. This means that with race conditions, everything is multi-step. The single-packet attack solves network jitter, making it as though every attack is on a local system. This exposes vulnerabilities that were previously near-impossible to detect or exploit.
source: L