jd-opensource/pentest-race-conditions
skills/pentest-race-conditions/SKILL.md
Concurrency exploitation — race conditions, TOCTOU vulnerabilities, and parallel request abuse in web applications.
$ install --global
skillsauthnpx skillsauth add jd-opensource/joysafeter pentest-race-conditionsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 6, 2026, 2:18 AM4.0s3 files scanned
SKILL.md
- name:
- pentest-race-conditions
- description:
- Concurrency exploitation — race conditions, TOCTOU vulnerabilities, and parallel request abuse in web applications.
Pentest Race Conditions
Purpose
Exploit applications that fail to handle concurrent requests atomically — enabling double-spend, limit bypass, privilege escalation through parallel requests. Absent from standard WSTG categories but critical in real-world assessments.
Prerequisites
Authorization Requirements
- Written authorization with explicit scope for concurrency testing
- Test accounts with balances, quotas, or limited-use resources
- Rollback plan for financial or state-mutating operations
- Rate limit awareness — confirm acceptable burst volume with target owner
Environment Setup
- Burp Suite Professional with Turbo Intruder extension
- Python 3.x with asyncio/aiohttp for parallel request scripting
- GNU parallel or xargs for shell-based concurrency
- Multiple authenticated sessions (separate cookies/tokens)
Core Workflow
- Target Identification: Identify race-prone operations — balance transfers, coupon redemption, inventory purchase, vote/like systems, token generation, file operations.
- Single-Endpoint Races: Send N identical requests simultaneously to bypass "one per user" limits, duplicate transactions (limit-overrun).
- Multi-Endpoint TOCTOU: Exploit time gap between check and use — validate coupon then apply coupon, check balance then debit.
- Session-Level Races: Parallel password change + session refresh, simultaneous role change + action execution.
- Database-Level Races: Exploit missing row-level locks, test optimistic vs pessimistic concurrency, trigger deadlocks.
- Timing Synchronization: Use single-packet attack technique (Turbo Intruder) to synchronize requests within microseconds.
- Impact Documentation: Document financial/operational impact with precise reproduction steps and timing requirements.
Tool Categories
| Category | Tools | Purpose | |----------|-------|---------| | Timing Attacks | Turbo Intruder, race-the-web | Microsecond-synchronized parallel requests | | Async Scripting | Python asyncio/aiohttp, httpx | Custom race condition scripts | | Shell Concurrency | GNU parallel, xargs, curl | Quick parallel request testing | | Proxy Analysis | Burp Suite Repeater | Request replay and timing observation | | Database Monitoring | pg_stat_activity, SHOW PROCESSLIST | Observe lock contention and deadlocks |
References
references/tools.md- Tool function signatures and parametersreferences/workflows.md- Attack pattern definitions and test vectors
Related Skills
jd-opensource/xlsx
development
VerifiedTrustedCommunity
Comprehensive spreadsheet creation, editing, and analysis with support for formulas, formatting, data analysis, and visualization. When Claude needs to work with spreadsheets (.xlsx, .xlsm, .csv, .tsv, etc) for: (1) Creating new spreadsheets with formulas and formatting, (2) Reading or analyzing data, (3) Modify existing spreadsheets while preserving formulas, (4) Data analysis and visualization in spreadsheets, or (5) Recalculating formulas
238SKILL.mdUpdated Apr 6, 2026
jd-opensource/writing-plans
development
VerifiedTrustedCommunity
Use when you have a spec or requirements for a multi-step task, before touching code
238SKILL.mdUpdated Apr 6, 2026
jd-opensource/skill-security-auditor
testing
VerifiedTrustedCommunity
OpenClaw Skills 全方位安全审计工具,检测供应链投毒、Prompt注入、恶意代码模式、权限越权和依赖风险
238SKILL.mdUpdated Apr 6, 2026
jd-opensource/skill-creator
tools
VerifiedTrustedCommunity
Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends an agent's capabilities with specialized knowledge, workflows, or tool integrations.
238SKILL.mdUpdated Apr 6, 2026