pentest-race-conditions

Concurrency exploitation — race conditions, TOCTOU vulnerabilities, and parallel request abuse in web applications.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "pentest-race-conditions" with this command: npx skills add jd-opensource/joysafeter/jd-opensource-joysafeter-pentest-race-conditions

Pentest Race Conditions

Purpose

Exploit applications that fail to handle concurrent requests atomically — enabling double-spend, limit bypass, privilege escalation through parallel requests. Absent from standard WSTG categories but critical in real-world assessments.

Prerequisites

Authorization Requirements

  • Written authorization with explicit scope for concurrency testing
  • Test accounts with balances, quotas, or limited-use resources
  • Rollback plan for financial or state-mutating operations
  • Rate limit awareness — confirm acceptable burst volume with target owner

Environment Setup

  • Burp Suite Professional with Turbo Intruder extension
  • Python 3.x with asyncio/aiohttp for parallel request scripting
  • GNU parallel or xargs for shell-based concurrency
  • Multiple authenticated sessions (separate cookies/tokens)

Core Workflow

  1. Target Identification: Identify race-prone operations — balance transfers, coupon redemption, inventory purchase, vote/like systems, token generation, file operations.
  2. Single-Endpoint Races: Send N identical requests simultaneously to bypass "one per user" limits, duplicate transactions (limit-overrun).
  3. Multi-Endpoint TOCTOU: Exploit time gap between check and use — validate coupon then apply coupon, check balance then debit.
  4. Session-Level Races: Parallel password change + session refresh, simultaneous role change + action execution.
  5. Database-Level Races: Exploit missing row-level locks, test optimistic vs pessimistic concurrency, trigger deadlocks.
  6. Timing Synchronization: Use single-packet attack technique (Turbo Intruder) to synchronize requests within microseconds.
  7. Impact Documentation: Document financial/operational impact with precise reproduction steps and timing requirements.

Tool Categories

CategoryToolsPurpose
Timing AttacksTurbo Intruder, race-the-webMicrosecond-synchronized parallel requests
Async ScriptingPython asyncio/aiohttp, httpxCustom race condition scripts
Shell ConcurrencyGNU parallel, xargs, curlQuick parallel request testing
Proxy AnalysisBurp Suite RepeaterRequest replay and timing observation
Database Monitoringpg_stat_activity, SHOW PROCESSLISTObserve lock contention and deadlocks

References

  • references/tools.md - Tool function signatures and parameters
  • references/workflows.md - Attack pattern definitions and test vectors

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

pentest-osint-recon

No summary provided by upstream source.

Repository SourceNeeds Review
39-jd-opensource
General

pentest-mobile-app

No summary provided by upstream source.

Repository SourceNeeds Review
38-jd-opensource
General

pentest-exploit-validation

No summary provided by upstream source.

Repository SourceNeeds Review
35-jd-opensource
General

pentest-ctf-binary

No summary provided by upstream source.

Repository SourceNeeds Review
31-jd-opensource