$loading...
Learn how to find and exploit race conditions — TOCTOU flaws, limit-overrun, and double-spend — using parallel and single-packet techniques, with concurrent-request scripts you can adapt.
Look for actions where a check and an action are separated in time (TOCTOU) and where state is shared: redeeming coupons, withdrawing funds, applying votes/likes, using one-time tokens, or consuming inventory.
POST /api/coupon/redeem {"code": "SAVE50"}POST /api/wallet/withdraw {"amount": 100}POST /api/vote {"pollId": 7, "option": 2}POST /api/2fa/verify {"otp": "123456"}Send many identical requests as close together as possible. For HTTP/2 use the single-packet attack (one TCP packet, many streams) to minimize jitter; for HTTP/1.1 use last-byte synchronization or a tight parallel loop.
Send 30-50 identical requests in parallel.
HTTP/2 single-packet: withhold the final frame, then release all streams at once.
asyncio.gather(*[send() for _ in range(40)])
Target operations meant to run once or N times. If the limit check and the decrement aren't atomic, concurrent requests can each pass the check before any decrements land.
Redeem a single-use coupon 40x concurrently.
Withdraw the full balance from two requests at once (double-spend).
Submit one OTP attempt 50x to beat rate limiting / lockout.
Some races span two endpoints (e.g., confirm + cancel, or apply + apply-again). Interleave requests that move an object through conflicting states simultaneously.
Concurrent: POST /order/confirm + POST /order/cancel
Concurrent: POST /invite/accept (x N) for a single-seat invite
Concurrent: status A->B and A->C on the same record
Race conditions are probabilistic — repeat several times and record success rate. Confirm the anomaly persists (extra balance, duplicate redemption, over-limit votes) and isn't just a UI glitch.
Run the burst 5-10 times; note how many succeed beyond the limit.
Verify final state in the account/ledger, not just the response.
Provide the exact concurrent-request script, the observed vs expected outcome, and the success rate. Recommend atomic operations (DB transactions, row locks, idempotency keys) as the fix.
Attach the asyncio/curl burst script and a before/after ledger snapshot.
Fix: atomic check-and-decrement, unique constraints, idempotency keys.
Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides