The single-packet attack: making remote race-conditions 'local'
Summary
Researchers have detailed a new technique called the 'single-packet attack' that allows remote race conditions in web applications to be exploited locally. This method works by encapsulating multiple HTTP/2 requests within a single TCP packet, which mitigates network latency and jitter as a factor in triggering the race condition.
IFF Assessment
This research describes a new attack technique that makes it easier to exploit race conditions, which are a vulnerability type that can lead to security flaws.
Defender Context
This technique highlights how attackers can find novel ways to exploit timing-based vulnerabilities like race conditions. Defenders should be aware of this attack vector and review their HTTP/2 implementations for potential race condition flaws, especially in complex or stateful web applications.