hello and welcome to secure coding. Course my name Miss anywhere,
and we will be looking at the lab for the honorable mention section.
Now for this particular lab, you're going to bring up Web goat, and you need to go ahead and go toothy concurrency menu
and click the thread safety problems.
Now, in order to perform this lab, it says the user should be able to exploit the concurrency error in this weather application and view log in information for another user does that is attempting the same function at the same time. This will require the use of two browsers.
The valid user names are Jeff and Dave.
Now, in order to perform this lab, all you need to do is actually just create another tab open at the same menu location.
Now, in one of the boxes, you're going to type Jeff,
and in your other tab, you're going to type in the box. Dave.
Now, remember that from our previous discussion, this is about thread safety, and so two threads are going to try to access the same information at the same time, and we're going to see the problem that occurs because of that
So let's go ahead and try to click submit at the exact same time.
Okay, And so what you can see is that I'm now seeing Dave's information
on both displays rate. And so
the way to make this lab work if you're having trouble is
you've you've got to be able to click both submits while the browser is still spinning, and so then you'll be able to actually solve the lab.
So from a secure coding perspective, if you actually click this show job a button,
you can see the code that was written on the back end. And
if you just scroll through some of the code, look for a variable called current user and you'll see here that we've got a method called create context. We're passing in a Web session.
We create a database connection.
We parse are our parameter user name, and we make that our current user.
And then, of course, we assign it to use your one,
and we basically do this this query where we pass in that that current user value
now the problem, as we spoke of in
in our explanation off of race conditions, is that we don't have any way of protecting the threads from each other. And so any thread can come in here and run this query
and and they're not mutually exclusive. And so we would really need to have this code segregated so that each thread can perform the particular query or in a thread safe method.
Ah, in order for each thread to perform the query
a mutually exclusive from each other.