---
name: pentest-race-conditions
description: Concurrency exploitation — race conditions, TOCTOU vulnerabilities, and parallel request abuse in web applications.
---

# Pentest Race Conditions

## Purpose
Exploit applications that fail to handle concurrent requests atomically — enabling double-spend, limit bypass, privilege escalation through parallel requests. Absent from standard WSTG categories but critical in real-world assessments.

## Prerequisites

### Authorization Requirements
- **Written authorization** with explicit scope for concurrency testing
- **Test accounts** with balances, quotas, or limited-use resources
- **Rollback plan** for financial or state-mutating operations
- **Rate limit awareness** — confirm acceptable burst volume with target owner

### Environment Setup
- Burp Suite Professional with Turbo Intruder extension
- Python 3.x with asyncio/aiohttp for parallel request scripting
- GNU parallel or xargs for shell-based concurrency
- Multiple authenticated sessions (separate cookies/tokens)

## Core Workflow
1. **Target Identification**: Identify race-prone operations — balance transfers, coupon redemption, inventory purchase, vote/like systems, token generation, file operations.
2. **Single-Endpoint Races**: Send N identical requests simultaneously to bypass "one per user" limits, duplicate transactions (limit-overrun).
3. **Multi-Endpoint TOCTOU**: Exploit time gap between check and use — validate coupon then apply coupon, check balance then debit.
4. **Session-Level Races**: Parallel password change + session refresh, simultaneous role change + action execution.
5. **Database-Level Races**: Exploit missing row-level locks, test optimistic vs pessimistic concurrency, trigger deadlocks.
6. **Timing Synchronization**: Use single-packet attack technique (Turbo Intruder) to synchronize requests within microseconds.
7. **Impact Documentation**: Document financial/operational impact with precise reproduction steps and timing requirements.

## Tool Categories

| Category | Tools | Purpose |
|----------|-------|---------|
| Timing Attacks | Turbo Intruder, race-the-web | Microsecond-synchronized parallel requests |
| Async Scripting | Python asyncio/aiohttp, httpx | Custom race condition scripts |
| Shell Concurrency | GNU parallel, xargs, curl | Quick parallel request testing |
| Proxy Analysis | Burp Suite Repeater | Request replay and timing observation |
| Database Monitoring | pg_stat_activity, SHOW PROCESSLIST | Observe lock contention and deadlocks |

## References
- `references/tools.md` - Tool function signatures and parameters
- `references/workflows.md` - Attack pattern definitions and test vectors