Web race conditions have traditionally been limited to simple limit-overrun exploits, masking their true destructive potential. Recent discoveries reveal that these vulnerabilities can be far more sophisticated, allowing attackers to manipulate state machines, forge trusted data and create persistent backdoors in web applications.

The evolution of web architectures and distributed systems has created complex state transitions that are vulnerable to precise timing attacks. Traditional detection methods have failed to identify these issues due to network jitter and inadequate tooling, leaving critical vulnerabilities undiscovered in popular frameworks and high-profile websites.

With the emergence of new attack techniques that can deliver 30 synchronized requests within a sub-1-ms window, it's crucial for security professionals to understand and defend against these advanced race condition exploits.

This session, led by James Kettle, director of research at PortSwigger, will cover:

• Novel race condition attack patterns beyond traditional limit-overrun scenarios
• Advanced techniques for manipulating state machines and exploiting token misrouting
• Methodology for efficient vulnerability detection and exploitation using the single packet attack
• Practical approaches for eliminating network jitter and achieving reliable exploitation across different HTTP versions