Race Conditions

Check List

Cheat Sheet

Methodology (Black Box)

Race Condition / Concurrency Testing

1

Create a free account on target

2

Navigate to the section offering “Claim Free <resource>” or “Purchase <item>”

3

Trigger the action and observe the redirect or request to

https:///api//start?item=<resource_name>

4

Capture the final transaction request

POST /api/v1/<api-endpoint>
5

Duplicate this request 5–15 times

6

Modify a minor field like parameter in each duplicate

7

Send all modified requests simultaneously (parallel execution)

8

Check if multiple successful transactions occur for the same action

Quota‑Limit Bypass via Concurrent Folder‑Creation Requests

1

Navigate to the Knowledge section on <platform> and select a specific <knowledge_space> (e.g., project or team space)

2

Create folders until you reach the configured limit <max_folder_count> (e.g., 10 folders)

3

Attempt to create one additional folder and confirm the server returns a “limit reached” error

4

Delete one folder so the total count becomes <max_folder_count - 1>

5

Immediately after deletion, send N parallel folder-creation requests (e.g., 2–20) to POST <folder_creation_endpoint> with payloads containing <folder_name> (use distinct names for each request)

6

Verify whether the total number of folders for <knowledge_space> exceeds <max_folder_count>

Non‑Idempotent Request Replay

1

Log in to Account Sign in to the platform using valid credentials

2

Purchase a Gift Card Buy a gift card on the platform

3

Redeem Gift Card Navigate to https://sandbox.reverb.com//redeem and initiate the gift card redemption process

4

Intercept Redemption Request Capture the POST request to /fi/redeem containing utf8, authenticity_token, token, and commit parameters using Burp Suite Pro

5

Send Request to Turbo Intruder Transfer the intercepted request to Turbo Intruder

6

Set External HTTP Header Configure the external HTTP header x-request: %s in Turbo Intruder

7

Execute the Attack Run the attack in Turbo Intruder and observe multiple 200 OK responses

8

Verify Increased Balance Check the account balance to confirm that the gift card value has been redeemed multiple times

Race Condition (Concurrent Redemption / Double-spend)

1

Log in to Account Sign in to the platform using valid credentials

2

Purchase a Gift Card Buy a gift card on the platform

3

Redeem Gift Card Navigate to https://sandbox.reverb.com//redeem and initiate the gift card redemption process

4

Intercept Redemption Request Capture the POST request to /fi/redeem containing utf8, authenticity_token, token, and commit parameters using Burp Suite Pro

5

Send Request to Turbo Intruder Transfer the intercepted request to Turbo Intruder and apply the provided Python script with 30 concurrent connections

6

Set External HTTP Header Configure the external HTTP header x-request: %s in Turbo Intruder

7

Execute the Attack Run the attack in Turbo Intruder and observe multiple 200 OK responses

8

Verify Increased Balance Check the account balance to confirm that the gift card value has been redeemed multiple times

Authentication Token Issuance Race

1

Prepare a list of login payloads (include incorrect passwords and the correct password)

2

Choose concurrency level (start with 20–50 parallel requests)

3

Capture a valid login POST request and send it to Burp/Turbo Intruder or a parallel-request tool

4

Configure the tool to send your prepared payloads simultaneously

5

Launch the parallel attack

6

Inspect responses and identify any response that returns a JWT

7

Decode the JWT and extract the authCode (or equivalent MFA state)

8

Construct a login/verify request using the captured JWT and a random 6-digit OTP

9

Send the verify request and check for successful authentication (session or 200 OK)

10

Repeat attempts as needed (race is probabilistic) and log successful JWTs/responses

Email‑verification race

1

Create a new account (email remains unverified)

2

Find and capture the email verification POST request (the one sent when clicking the verification link)

3

Find and capture the change-email request (the POST that updates the account email)

4

Prepare two requests: (A) change-email → set target email (e.g. victim@domain.com), (B) verify-email → same valid verification token

5

Use a parallel-request tool (Turbo Intruder / Burp / parallel curl) to send A and B simultaneously (high concurrency / single-packet timing)

6

Inspect responses for success; check the account’s email status

7

Confirm by performing an action that requires a verified email (invite, access feature, etc)

8

Repeat to verify reproducibility and log any successful attempts

White Box

PreviousProcess TimingNextCircumvention of Work Flows

Last updated