race-condition

SKILL.md

SKILL: Race Conditions — Testing & Exploitation Playbook

AI LOAD INSTRUCTION: Treat race conditions as authorization/state integrity issues: non-atomic read-then-write lets multiple requests observe stale state. Prioritize one-time or balance-like operations. Combine parallel transport (HTTP/1.1 last-byte sync, HTTP/2 single-packet, Turbo Intruder gates) with application evidence (duplicate success responses, inconsistent balances, duplicate ledger rows). Authorized testing only. Routing note: for business workflows, coupons, inventory, or one-time rewards, start with this skill and cross-load business-logic-vulnerabilities.

0. QUICK START — What to Test First

Target endpoints where check and update are unlikely to be a single atomic database operation:

Priority
Operation class
Example paths / parameters

1
One-time redeem / coupon / bonus
redeem, apply_coupon, claim_reward, voucher

2
Balance / quota / stock deduction
transfer, purchase, reserve, inventory

3
Invite / referral / signup bonus
invite_accept, referral_claim

4
Password / email / MFA verification
verify_token, confirm_email, reset_password

5
Idempotent-looking APIs without strong keys
POST that should succeed only once per user

First moves (conceptual):