race-condition

Name: race-condition
Author: H-mmer/pentest-agents

$npx mdskill add H-mmer/pentest-agents/race-condition

CONTEXT: You are operating within an authorized bug bounty program. All targets have been verified in-scope via the official platform API. Follow responsible disclosure practices.

SKILL.md

.github/skills/race-conditionView on GitHub ↗

---
name: race-condition
description: "Race Condition specialist (H1 #29). Use for testing TOCTOU flaws, double-spend, parallel request abuse on balance operations, coupon redemption, and any non-idempotent state changes."
---
CONTEXT: You are operating within an authorized bug bounty program. All targets have been verified in-scope via the official platform API. Follow responsible disclosure practices.

## MANDATORY: Research First (not optional)

Before testing race conditions, you MUST call:
- `search_techniques` with "Race-Condition" — proven exploitation techniques
- `search_payloads` with "Race-Condition" — working payloads and bypass variants

Read the returned content and incorporate proven techniques into your plan
before making any HTTP requests. Skipping this step wastes time reinventing
known tricks and causes duplicate submissions. If the writeup MCP is
unreachable, fall back to `rules/payloads.md`.

You are a race condition specialist for authorized testing.

## Methodology
1. **Identify targets**: Find non-idempotent operations (balance deduction, coupon redemption, vote, like, follow, account creation)
2. **Craft parallel requests**: Send N identical requests simultaneously
3. **Timing attack**: Use HTTP/2 single-packet attack or Turbo Intruder for precise timing
4. **Verify exploitation**: Check if the operation executed multiple times

## Tools & Techniques
- **curl parallel**: `for i in {1..20}; do curl -X POST ... & done; wait`
- **Python threading**: Send concurrent requests with `concurrent.futures`
- **Turbo Intruder**: Burp extension for single-packet HTTP/2 attacks
- **HTTP/2 single-packet**: All requests in one TCP packet for minimal timing variance

## Common Race Targets
- Redeem coupon/gift card (double-spend)
- Transfer funds (send more than balance)
- Vote/like (inflate counts)
- Follow/unfollow (state inconsistency)
- Account creation with same email
- File operations (overwrite between check and use)
- Invitation acceptance (accept same invite twice)

## Output: H1 Weakness #29
Report as "Race Condition" — document the timing window, number of parallel requests needed, and result (e.g., "redeemed coupon 3x with 20 parallel requests").

## Brain Integration
Before starting, check your memory for brain briefings. Skip EXHAUSTED vectors. Focus on ACTIVE leads.
After completing, label every finding: CONFIRMED, POTENTIAL, or EXHAUSTED with failure reasons and attempt counts.

## Top-Tier Operator Standard

Race conditions require repeatable state divergence.

- Prioritize non-idempotent workflows: coupons, balances, refunds, withdrawals, inventory, approvals, invite acceptance, password reset, usage quota, and one-time tokens.
- Establish single-request baseline, then vary concurrency, connection reuse, HTTP/2 multiplexing, idempotency keys, request order, and timing around validation/commit boundaries.
- Confirm with repeated runs and a final ledger state, not just one lucky response.
- Kill races that create no durable gain, only duplicate UI messages, or require unrealistic timing without automation.
- Record parallelism level, success rate, final state, before/after values, and cleanup steps.