Topic Hub
Race Condition Attacks
Race conditions exploit timing windows in concurrent processing — two requests arrive simultaneously, both pass a check that should only allow one, and both succeed. Modern single-packet techniques eliminate network jitter, making sub-millisecond races reliable and reproducible.
TOCTOU
Single-Packet
Limit Overrun
Session Collision
Double Spend
Burp Suite
▌ Race Condition Classes
Limit Overrun
Apply a coupon / redeem a gift card more than once. Both requests pass the "already used?" check before either marks it used.
TOCTOU
Time-Of-Check to Time-Of-Use. File permissions or balance checked at T1, action taken at T2 — modify state between them.
Session Collision
Two login requests simultaneously → one session token assigned to wrong user. Exploited by James Kettle to read other users' data.
Double Spend
Simultaneously transfer funds or place orders in a way that reduces balance more than should be possible. Classic in fintech targets.
Partial Construction
Object/row accessed mid-creation before all fields are populated. Uninitialized state leaks or allows bypass of security fields.
Time-of-use OTP
OTP or token validated and consumed in a non-atomic operation. Send identical OTP twice simultaneously — both may succeed.
The Single-Packet Technique
Traditional race condition attacks are limited by network jitter — small timing differences between when each request arrives at the server. James Kettle's single-packet attack solves this: send all concurrent requests inside a single TCP packet (HTTP/2 multiplexing or a carefully crafted HTTP/1.1 last-byte holdback). The server processes all requests simultaneously with <1ms variance.
# Burp Suite — Repeater group → Send in parallel
1. Create 20 identical requests in Repeater group
2. Right-click → "Send group (parallel)"
3. Burp holds all but last byte, then sends final bytes simultaneously
4. All requests arrive at server within same millisecond
▌ Deep Dives
▌ Notable Race Condition CVEs
CVE-2024-58248
nopCommerce — Race condition in coupon redemption → unlimited discount abuse
Exploited via single-packet technique using Burp Suite Repeater groups
GitLab Race
GitLab merge request — race in CI/CD pipeline triggering → bypass pipeline rules
Concurrent approvals allowing merge without required approvals
Crypto Exchange
Multiple exchange platforms — double withdrawal via concurrent requests → financial loss
Classic limit overrun: balance check and withdrawal not atomic
CVE-2019-5418
Rails File Content Disclosure — race in ActionView rendering
TOCTOU in template resolution allowed reading arbitrary files
Quick Detection Checklist
✓ Any endpoint that checks then uses a one-time resource
✓ Promo codes / referral limits / rate limits
✓ File upload validation and write steps
✓ Password reset token creation and sending
✓ Account balance modification operations
✓ Session creation and user assignment