Skill282 repo starsupdated yesterday

pentest-race-conditions

This Claude Code skill provides a structured methodology for identifying and exploiting race conditions and TOCTOU vulnerabilities in web applications through concurrent request manipulation. Use it during authorized penetration tests when assessing applications handling financial transactions, resource quotas, inventory management, or state-sensitive operations where concurrent access controls may be insufficient.

View source Repository: JoySafeter

Install in Claude Code

Copy

git clone --depth 1 https://github.com/jd-opensource/JoySafeter /tmp/pentest-race-conditions && cp -r /tmp/pentest-race-conditions/skills/pentest-race-conditions ~/.claude/skills/pentest-race-conditions

Then start a new Claude Code session; the skill loads automatically.

Definition

SKILL.md

# Pentest Race Conditions

## Purpose
Exploit applications that fail to handle concurrent requests atomically — enabling double-spend, limit bypass, privilege escalation through parallel requests. Absent from standard WSTG categories but critical in real-world assessments.

## Prerequisites

### Authorization Requirements
- **Written authorization** with explicit scope for concurrency testing
- **Test accounts** with balances, quotas, or limited-use resources
- **Rollback plan** for financial or state-mutating operations
- **Rate limit awareness** — confirm acceptable burst volume with target owner

### Environment Setup
- Burp Suite Professional with Turbo Intruder extension
- Python 3.x with asyncio/aiohttp for parallel request scripting
- GNU parallel or xargs for shell-based concurrency
- Multiple authenticated sessions (separate cookies/tokens)

## Core Workflow
1. **Target Identification**: Identify race-prone operations — balance transfers, coupon redemption, inventory purchase, vote/like systems, token generation, file operations.
2. **Single-Endpoint Races**: Send N identical requests simultaneously to bypass "one per user" limits, duplicate transactions (limit-overrun).
3. **Multi-Endpoint TOCTOU**: Exploit time gap between check and use — validate coupon then apply coupon, check balance then debit.
4. **Session-Level Races**: Parallel password change + session refresh, simultaneous role change + action execution.
5. **Database-Level Races**: Exploit missing row-level locks, test optimistic vs pessimistic concurrency, trigger deadlocks.
6. **Timing Synchronization**: Use single-packet attack technique (Turbo Intruder) to synchronize requests within microseconds.
7. **Impact Documentation**: Document financial/operational impact with precise reproduction steps and timing requirements.

## Tool Categories

| Category | Tools | Purpose |
|----------|-------|---------|
| Timing Attacks | Turbo Intruder, race-the-web | Microsecond-synchronized parallel requests |
| Async Scripting | Python asyncio/aiohttp, httpx | Custom race condition scripts |
| Shell Concurrency | GNU parallel, xargs, curl | Quick parallel request testing |
| Proxy Analysis | Burp Suite Repeater | Request replay and timing observation |
| Database Monitoring | pg_stat_activity, SHOW PROCESSLIST | Observe lock contention and deadlocks |

## References
- `references/tools.md` - Tool function signatures and parameters
- `references/workflows.md` - Attack pattern definitions and test vectors