exploiting-race-condition-vulnerabilities

Featured

Detect and exploit race condition vulnerabilities in web applications using Turbo Intruder's single-packet attack technique to bypass rate limits, duplicate transactions, and exploit time-of-check-to-time-of-use flaws.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Exploiting Race Condition Vulnerabilities ## When to Use - When testing applications with transaction-based functionality (payments, transfers, coupons) - During assessment of rate-limiting or attempt-limiting mechanisms - When testing multi-step workflows (registration, password reset, MFA) - During bug bounty hunting for logic flaws in state-changing operations - When evaluating applications with inventory or balance management systems ## Prerequisites - Burp Suite Professional with Turbo Intruder extension installed - Understanding of HTTP/2 single-packet attack technique - Python scripting ability for custom Turbo Intruder scripts - Knowledge of TOCTOU (Time-of-Check-to-Time-of-Use) vulnerabilities - Target application with state-changing operations (purchases, votes, transfers) - Multiple user accounts for testing cross-user race conditions > **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. ## Workflow ### Step 1 — Identify Race Condition Attack Surface ``` # Common race condition targets: # - Coupon/discount code redemption (limit: 1 per user) # - Account balance transfers # - Inventory purchase (limited stock) # - Rate-limited operations (login attempts, SMS verification) # - Multi-step workflows (email change + password reset) # - File upload + processing pipelines # Capture the target...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Listed

exploiting-race-condition-vulnerabilities

Detect and exploit race condition vulnerabilities in web applications using Turbo Intruder's single-packet attack technique to bypass rate limits, duplicate transactions, and exploit time-of-check-to-time-of-use flaws.

6 Updated today
26zl
Data & Documents Solid

hunt-race-condition

Hunting skill for race condition vulnerabilities. Built from 12 public bug bounty reports including modern HTTP/2 single-packet attack cases (James Kettle DEF CON 2023 "Smashing the State Machine"; RyotaK / Flatt Security 10,000-request first-sequence-sync expansion 2024). Covers coupon double-redemption, gift-card double-spend, MFA-OTP-validate race, account-create race, faucet/crypto token double-mint, email-activation race, vote/upvote inflation, password-reset token race, rate-limit bypass via concurrent requests. Use when hunting race conditions, TOCTOU bugs, MFA-bypass-via-timing.

1,380 Updated 4 days ago
elementalsouls
AI & Automation Featured

exploiting-type-juggling-vulnerabilities

Exploit PHP type juggling vulnerabilities caused by loose comparison operators to bypass authentication, circumvent hash verification, and manipulate application logic through type coercion attacks.

12,642 Updated today
mukul975
AI & Automation Featured

testing-for-business-logic-vulnerabilities

Identifying flaws in application business logic that allow price manipulation, workflow bypass, and privilege escalation beyond what technical vulnerability scanners can detect.

12,642 Updated today
mukul975
Testing & QA Featured

idor-testing

Provide systematic methodologies for identifying and exploiting Insecure Direct Object Reference (IDOR) vulnerabilities in web applications.

39,227 Updated today
sickn33