pentest-race-conditions
Pentest Race Conditions
Purpose
Exploit applications that fail to handle concurrent requests atomically — enabling double-spend, limit bypass, privilege escalation through parallel requests. Absent from standard WSTG categories but critical in real-world assessments.
Prerequisites
Authorization Requirements
- Written authorization with explicit scope for concurrency testing
- Test accounts with balances, quotas, or limited-use resources
- Rollback plan for financial or state-mutating operations
- Rate limit awareness — confirm acceptable burst volume with target owner
Environment Setup
- Burp Suite Professional with Turbo Intruder extension
- Python 3.x with asyncio/aiohttp for parallel request scripting
- GNU parallel or xargs for shell-based concurrency
- Multiple authenticated sessions (separate cookies/tokens)
Core Workflow
- Target Identification: Identify race-prone operations — balance transfers, coupon redemption, inventory purchase, vote/like systems, token generation, file operations.
- Single-Endpoint Races: Send N identical requests simultaneously to bypass "one per user" limits, duplicate transactions (limit-overrun).
- Multi-Endpoint TOCTOU: Exploit time gap between check and use — validate coupon then apply coupon, check balance then debit.
- Session-Level Races: Parallel password change + session refresh, simultaneous role change + action execution.
- Database-Level Races: Exploit missing row-level locks, test optimistic vs pessimistic concurrency, trigger deadlocks.
- Timing Synchronization: Use single-packet attack technique (Turbo Intruder) to synchronize requests within microseconds.
- Impact Documentation: Document financial/operational impact with precise reproduction steps and timing requirements.
Tool Categories
| Category | Tools | Purpose |
|---|---|---|
| Timing Attacks | Turbo Intruder, race-the-web | Microsecond-synchronized parallel requests |
| Async Scripting | Python asyncio/aiohttp, httpx | Custom race condition scripts |
| Shell Concurrency | GNU parallel, xargs, curl | Quick parallel request testing |
| Proxy Analysis | Burp Suite Repeater | Request replay and timing observation |
| Database Monitoring | pg_stat_activity, SHOW PROCESSLIST | Observe lock contention and deadlocks |
References
references/tools.md- Tool function signatures and parametersreferences/workflows.md- Attack pattern definitions and test vectors
More from jd-opensource/joysafeter
pentest-osint-recon
Open Source Intelligence gathering and attack surface management for external reconnaissance.
84pentest-mobile-app
OWASP Mobile Top 10 security testing for Android and iOS — local storage, certificate pinning bypass, IPC abuse, and binary protections.
56pentest-api-deep
Deep OWASP API Security Top 10 testing for REST, GraphQL, gRPC, and WebSocket APIs — BFLA, mass assignment, rate limiting, and unsafe consumption.
55pentest-exploit-validation
Proof-driven exploitation with 4-level evidence system, bypass exhaustion protocol, mandatory evidence checklists, and strict EXPLOITED/POTENTIAL/FALSE_POSITIVE classification.
53pentest-secrets-exposure
Discover hardcoded credentials, leaked API keys, exposed configuration files, sensitive data in artifacts, and information disclosure via error handling.
50pentest-ai-llm-security
AI/LLM application security testing — prompt injection, jailbreaking, data exfiltration, and insecure output handling per OWASP LLM Top 10.
49