A race condition is a flaw where the security of an operation depends on timing, and firing requests concurrently lets you slip between a check and the action it guards (a TOCTOU window). Classic targets are redeeming a coupon twice, withdrawing past a balance, or bypassing a one-time-use limit before the database commits the first request.
The Race Condition generator outputs ready PoCs in several runners: parallel curl with backgrounded jobs, Burp's Turbo Intruder script, and async Python with aiohttp. For the tightest window it generates HTTP/2 single-packet attack and last-byte synchronization code that holds each request's final byte and releases them together to neutralize network jitter.
Network jitter normally spreads concurrent requests across several milliseconds, wider than the server-side race window. The HTTP/2 single-packet attack sends 20-30 requests' last bytes in one TCP packet so they arrive simultaneously, and last-byte sync does the same over HTTP/1.1 by pre-sending all but the final byte. The Race Condition generator emits both to maximize collision.
Yes. The Race Condition generator is free and runs 100% client-side, so the endpoints and tokens you supply are never transmitted to any server. Only run the generated PoCs against systems you are authorized to test, such as your own staging environment or in-scope bug bounty targets.