SKILL: Race Conditions — Testing & Exploitation Playbook

AI LOAD INSTRUCTION: Treat race conditions as authorization/state integrity issues: non-atomic read-then-write lets multiple requests observe stale state. Prioritize one-time or balance-like operations. Combine parallel transport (HTTP/1.1 last-byte sync, HTTP/2 single-packet, Turbo Intruder gates) with application evidence (duplicate success responses, inconsistent balances, duplicate ledger rows). Authorized testing only. Routing note: for business workflows, coupons, inventory, or one-time rewards, start with this skill and cross-load business-logic-vulnerabilities.

0. QUICK START — What to Test First

Target endpoints where check and update are unlikely to be a single atomic database operation:

Priority	Operation class	Example paths / parameters
1	One-time redeem / coupon / bonus	`redeem`, `apply_coupon`, `claim_reward`, `voucher`
2	Balance / quota / stock deduction	`transfer`, `purchase`, `reserve`, `inventory`
3	Invite / referral / signup bonus	`invite_accept`, `referral_claim`
4	Password / email / MFA verification	`verify_token`, `confirm_email`, `reset_password`
5	Idempotent-looking APIs without strong keys	`POST` that should succeed only once per user

First moves (conceptual):

race-condition

SKILL: Race Conditions — Testing & Exploitation Playbook

0. QUICK START — What to Test First

More from yaklang/hack-skills

hack

xss-cross-site-scripting

sqli-sql-injection

ssrf-server-side-request-forgery

api-sec

api-recon-and-docs