hunt-race-condition

## Crown Jewel Targets Race conditions are high-severity findings because they break financial, access control, and integrity assumptions that defenders rarely stress-test. Highest payouts come from: - **Monetary/credit systems** — double-spending gift cards, coupons, referral bonuses, promotional credits, wallet balances - **Vote/reputation manipulation** — upvoting the same content multiple times, gaming leaderboards or trending algorithms - **Account limits bypass** — exceeding free-tier quotas, bypassing "one per user" restrictions on invites, trial activations, or API key generation - **Privilege escalation** — racing role assignment or permission checks during user creation/upgrade flows - **Deletion bypass** — reading or exfiltrating data during a narrow window between "marked for deletion" and "actually deleted" - **Payment flows** — charging a card once but receiving multiple fulfillments **Best-paying asset types:** Fintech apps, SaaS platforms with credit/subscription models, social platforms with reputation systems, e-commerce checkout flows, OAuth/SSO token endpoints. --- ## Attack Surface Signals ### URL Patterns ``` /vote, /upvote, /like, /favorite /redeem, /apply-coupon, /use-code, /claim /purchase, /checkout, /confirm-order, /pay /transfer, /withdraw, /send-money /invite, /referral, /accept-invite /upgrade, /activate, /trial /delete, /deactivate, /cancel /follow, /subscribe ``` ### Response Headers That Signal Race-Prone Backends ``` X-RateLimit-* ...