Race conditions, transactions and free parking

Day 3 21:05 Zero en Security

Dec. 29, 2025 21:05-21:45

ORM's and/or developers don't understand databases, transactions, or concurrency.

After the Air France-KLM dataleak I kept repeating this was not a real hack, and confessed I always wanted to hack a system based on triggering race conditions because the lack of proper transactions. This was way easier than expected. In this talk I will show how just adding $ seq 0 9 | xargs -I@ -P10 .. can break some systems, and how to write safe database transactions that prevent abuse.

In this talk I will explain what race conditions are. Many examples of how and why code will fail. How to properly create a database transaction. The result of abusing this in real life (e.g. free parking).

Speakers of this event

Benjamin W. Broersma

Hi there 👋

I'm a hacker, full stack developer, and advisor about internet standards. I like code golf.

🔭 I’m currently working for the Netherlands Standardisation Forum, which facilitates digital cooperation (interoperability) between government organizations and between government, businesses and citizens
🌱 I’m currently learning ZIP, ZLIB (RFC 1950, RFC 1951), ASN.1, ODF and OPC file formats
💬 Ask me anything about EML_NL¹, JQ, bash, xmlstarlet and PL/pgSQL
📫 How to reach me, see my email or 🐦 (@bwbroersma)
⚡ Fun fact: I mail and tweet too many oneliners to colleagues

¹ I used to work for the Electoral Council of the Netherlands (@kiesraad), an electoral management body