pentest-race-conditions

Original：🇺🇸 English

Translated

Concurrency exploitation — race conditions, TOCTOU vulnerabilities, and parallel request abuse in web applications.

3installs

Sourcejd-opensource/joysafeter

Added on2026-03-10

NPX Install

npx skill4agent add jd-opensource/joysafeter pentest-race-conditions

SKILL.md Content

View Translation Comparison →

Pentest Race Conditions

Purpose

Exploit applications that fail to handle concurrent requests atomically — enabling double-spend, limit bypass, privilege escalation through parallel requests. Absent from standard WSTG categories but critical in real-world assessments.

Prerequisites

Authorization Requirements

Written authorization with explicit scope for concurrency testing
Test accounts with balances, quotas, or limited-use resources
Rollback plan for financial or state-mutating operations
Rate limit awareness — confirm acceptable burst volume with target owner

Environment Setup

Burp Suite Professional with Turbo Intruder extension
Python 3.x with asyncio/aiohttp for parallel request scripting
GNU parallel or xargs for shell-based concurrency
Multiple authenticated sessions (separate cookies/tokens)

Core Workflow

Target Identification: Identify race-prone operations — balance transfers, coupon redemption, inventory purchase, vote/like systems, token generation, file operations.
Single-Endpoint Races: Send N identical requests simultaneously to bypass "one per user" limits, duplicate transactions (limit-overrun).
Multi-Endpoint TOCTOU: Exploit time gap between check and use — validate coupon then apply coupon, check balance then debit.
Session-Level Races: Parallel password change + session refresh, simultaneous role change + action execution.
Database-Level Races: Exploit missing row-level locks, test optimistic vs pessimistic concurrency, trigger deadlocks.
Timing Synchronization: Use single-packet attack technique (Turbo Intruder) to synchronize requests within microseconds.
Impact Documentation: Document financial/operational impact with precise reproduction steps and timing requirements.

Tool Categories

Category	Tools	Purpose
Timing Attacks	Turbo Intruder, race-the-web	Microsecond-synchronized parallel requests
Async Scripting	Python asyncio/aiohttp, httpx	Custom race condition scripts
Shell Concurrency	GNU parallel, xargs, curl	Quick parallel request testing
Proxy Analysis	Burp Suite Repeater	Request replay and timing observation
Database Monitoring	pg_stat_activity, SHOW PROCESSLIST	Observe lock contention and deadlocks

References

```
references/tools.md
```
- Tool function signatures and parameters
```
references/workflows.md
```
- Attack pattern definitions and test vectors