[TeMPOraL]

Great writeup. There's just one thing I don't get: the auth part. It seems the author managed to access protected endpoints without any auth, by just repeating the same request over and over until the endpoint randomly accepted it. The part that confuses me is, how could that possibly happen? What possible architecture could this system have to enable this specific failure mode?

I struggle to think of anything, short of auth handling being a separate service injected between a load balancer and the API servers, and someone somehow forgot to include that in autoscaling config; but surely this is not how you do things, is it?

[definitelyauser]

> how could that possibly happen?

Global singleton shared across requests, instead of request scoped.

1. [Client 1/You] Auth/write to variable (failed).

2. [Client 2/ISP] Auth/write to variable (success).

3. Verify what the result was (success)

A race condition combined with a global singleton can easily explain such behavior.

[spopejoy]

The article mentions Spring, although I couldn't see anything in the output that would tip me off (like massive java.lang.xxxException traces) ... plus I've seen other mentions of singletons in this discussion --

Are you describing some kind of server-side global object that statefully says a session/api key is "authenticated" and will then allow the request during that time frame? That seems like a bug you could drive container ships through. Yes I know saas s/w sucks out there but this would seem to at least be something an audit could easily flag.

[Affric]

Test server from early development put into production?