Poster: The Risk of Insufficient Isolation of Database Transactions inWeb Applications

Web applications utilizing databases for persistence frequently expose security flaws due to race conditions. The commonly accepted remedy to this problem is to envelope related database operations in transactions. Unfortunately, sole trust in transactions to isolate competing sets of database interactions is often misplaced. While the precise isolation properties of transactions depend on the configuration of the database management system (DBMS), the default configuration of common DBMS exposes transactions to anomalies that render their protection worthless. We give a comprehensive overview on the behavior of common DBMSes with respect to transactions and show that their default settings are insufficient to provide comprehensive protection. Furthermore we conduct a preliminary study on how commonly transactions and isolation configuration adjustments are deployed across 4.222 open source PHP applications that use SQL, finding 2.789 transactions and only 418 isolation adjustments indicators. Our findings indicate that race conditions are an underappreciated vulnerability class and adjustments are too rare to for transactions to reliably provide sufficient protection.