Pentest Race Conditions

Purpose

Exploit applications that fail to handle concurrent requests atomically — enabling double-spend, limit bypass, privilege escalation through parallel requests. Absent from standard WSTG categories but critical in real-world assessments.

Prerequisites

Authorization Requirements

• Written authorization with explicit scope for concurrency testing
• Test accounts with balances, quotas, or limited-use resources
• Rollback plan for financial or state-mutating operations
• Rate limit awareness — confirm acceptable burst volume with target owner

Environment Setup

• Burp Suite Professional with Turbo Intruder extension
• Python 3.x with asyncio/aiohttp for parallel request scripting
• GNU parallel or xargs for shell-based concurrency
• Multiple authenticated sessions (separate cookies/tokens)

Core Workflow

1. Target Identification: Identify race-prone operations — balance transfers, coupon redemption, inventory purchase, vote/like systems, token generation, file operations.
2. Single-Endpoint Races: Send N identical requests simultaneously to bypass "one per user" limits, duplicate transactions (limit-overrun).
3. Multi-Endpoint TOCTOU: Exploit time gap between check and use — validate coupon then apply coupon, check balance then debit.
4. Session-Level Races: Parallel password change + session refresh, simultaneous role change + action execution.
5. Database-Level Races: Exploit missing row-level locks, test optimistic vs pessimistic concurrency, trigger deadlocks.
6. Timing Synchronization: Use single-packet attack technique (Turbo Intruder) to synchronize requests within microseconds.
7. Impact Documentation: Document financial/operational impact with precise reproduction steps and timing requirements.

Tool Categories

References

• references/tools.md - Tool function signatures and parameters
• references/workflows.md - Attack pattern definitions and test vectors