pentest-race-conditions

Original source / Raw SKILL.md

---
name: pentest-race-conditions
description: Concurrency exploitation — race conditions, TOCTOU vulnerabilities, and parallel request abuse in web applications.
---

# Pentest Race Conditions

## Purpose
Exploit applications that fail to handle concurrent requests atomically — enabling double-spend, limit bypass, privilege escalation through parallel requests. Absent from standard WSTG categories but critical in real-world assessments.

## Prerequisites

### Authorization Requirements
- **Written authorization** with explicit scope for concurrency testing
- **Test accounts** with balances, quotas, or limited-use resources
- **Rollback plan** for financial or state-mutating operations
- **Rate limit awareness** — confirm acceptable burst volume with target owner

### Environment Setup
- Burp Suite Professional with Turbo Intruder extension
- Python 3.x with asyncio/aiohttp for parallel request scripting
- GNU parallel or xargs for shell-based concurrency
- Multiple authenticated sessions (separate cookies/tokens)

## Core Workflow
1. **Target Identification**: Identify race-prone operations — balance transfers, coupon redemption, inventory purchase, vote/like systems, token generation, file operations.
2. **Single-Endpoint Races**: Send N identical requests simultaneously to bypass "one per user" limits, duplicate transactions (limit-overrun).
3. **Multi-Endpoint TOCTOU**: Exploit time gap between check and use — validate coupon then apply coupon, check balance then debit.
4. **Session-Level Races**: Parallel password change + session refresh, simultaneous role change + action execution.
5. **Database-Level Races**: Exploit missing row-level locks, test optimistic vs pessimistic concurrency, trigger deadlocks.
6. **Timing Synchronization**: Use single-packet attack technique (Turbo Intruder) to synchronize requests within microseconds.
7. **Impact Documentation**: Document financial/operational impact with precise reproduction steps and timing requirements.

## Tool Categories

| Category | Tools | Purpose |
|----------|-------|---------|
| Timing Attacks | Turbo Intruder, race-the-web | Microsecond-synchronized parallel requests |
| Async Scripting | Python asyncio/aiohttp, httpx | Custom race condition scripts |
| Shell Concurrency | GNU parallel, xargs, curl | Quick parallel request testing |
| Proxy Analysis | Burp Suite Repeater | Request replay and timing observation |
| Database Monitoring | pg_stat_activity, SHOW PROCESSLIST | Observe lock contention and deadlocks |

## References
- `references/tools.md` - Tool function signatures and parameters
- `references/workflows.md` - Attack pattern definitions and test vectors


---

## Referenced Files

> The following files are referenced in this skill and included for context.

### references/tools.md

```markdown
# Tools

# Race Condition Tools

## Common response fields

- success: boolean
- stdout, stderr: command output
- response_times: array of per-request timing in milliseconds
- race_detected: boolean indicator of successful race exploitation

## Timing-synchronized request tools

- turbo_intruder_race(target, request_template, concurrent_requests=20, engine="threaded", gate="single_packet", additional_args=""): Burp Turbo Intruder for single-packet attack. gate: "single_packet"|"tcp_sync"|"none". Sends all requests in one TCP packet for microsecond synchronization.
- race_the_web(config_file, target="", method="POST", data="", count=10, verbose=False): Standalone race condition testing tool. config_file defines target, method, headers, body, and concurrency.

## Async HTTP scripting

- aiohttp_race(url, method="POST", data="", headers="", cookies="", concurrent=20, timeout=10): Python aiohttp-based parallel requests. Returns array of response status codes and bodies for comparison.
- httpx_parallel(url, method="POST", data="", headers="", count=20, http2=False): Python httpx async client. http2=True for HTTP/2 multiplexed requests on single connection.
- requests_threaded(url, method="POST", data="", headers="", threads=20, barrier=True): Python requests with threading.Barrier for synchronized start. barrier=True ensures all threads fire simultaneously.

## Shell concurrency

- gnu_parallel_curl(url, method="POST", data="", jobs=20, header=""): GNU parallel with curl for quick race tests. Each job sends one request; all start near-simultaneously.
- xargs_curl(url, count=20, method="POST", data="", max_procs=20): xargs -P for parallel curl invocations. Simpler than GNU parallel for basic tests.

## State verification

- state_checker(url, method="GET", headers="", field="", expected=""): Poll endpoint to verify state changes (balance, count, inventory). Compare before/after race.
- db_query(query, db_type="postgres", connection_string=""): Direct database query to verify row-level state after race. Use for definitive impact confirmation.

```

### references/workflows.md

```markdown
# Workflows

# Race Condition Workflows

## Target identification

- Map state-changing operations: balance transfers, purchases, coupon redemption, votes, likes, follows
- Identify "one per user" constraints: single-use tokens, unique registrations, limited inventory
- Review source code for missing locks: SELECT then UPDATE without FOR UPDATE, check-then-act patterns

## Single-endpoint limit-overrun

- turbo_intruder_race: concurrent_requests 20, gate "single_packet"
- Workflow:
  1. Record initial state (balance, inventory count, coupon status)
  2. Send N identical redemption/purchase requests simultaneously
  3. Compare final state: if more than 1 succeeded, race confirmed
- test_vectors:
  - Coupon redemption: apply same code 20x in parallel
  - Balance transfer: send full balance to recipient 20x
  - Inventory purchase: buy last item 20x simultaneously
  - Vote/like: submit same vote 20x

## Multi-endpoint TOCTOU

- aiohttp_race: concurrent 2 (one check, one use)
- Workflow:
  1. Identify check-then-act pairs (validate coupon → apply coupon)
  2. Send "use" request immediately after "check" returns success
  3. Repeat with increasing parallelism until window is hit
- test_vectors:
  - Check balance → transfer funds (drain beyond balance)
  - Validate coupon → apply coupon (reuse single-use code)
  - Check inventory → place order (oversell)

## Session-level races

- requests_threaded: threads 10, barrier True
- test_vectors:
  - Parallel password change + privileged action (act before session invalidates)
  - Simultaneous role downgrade + admin action
  - Concurrent session refresh + token rotation (obtain two valid tokens)
  - Parallel email change + password reset (reset sent to old email)

## Timing synchronization techniques

- Single-packet attack: pack all HTTP requests into one TCP packet (Turbo Intruder gate="single_packet")
- HTTP/2 multiplexing: send all requests on single connection via httpx_parallel http2=True
- Last-byte sync: send all requests minus final byte, then send all final bytes simultaneously
- Connection warming: pre-establish TCP connections, then fire requests in parallel

## Reporting and validation

- state_checker: verify before/after state for each race target
- Document: number of successful duplicate operations, financial impact, reproduction reliability
- Classify severity: financial double-spend (Critical), limit bypass (High), state confusion (Medium)
- Include timing requirements and success rate percentage in report

```