一键在 Manus 中运行任何 Skill

开始使用

pentest-race-conditions

星标284

分支55

更新时间2026年2月11日 09:17

Concurrency exploitation — race conditions, TOCTOU vulnerabilities, and parallel request abuse in web applications.

安装

用 Codex 或 Claude 帮你安装复制这段 Prompt，粘贴到 Codex、Claude 或其他助手里，让它检查 Skill 页面并帮你完成安装。

在 Manus 中运行

来源

jd-opensource

jd-opensource/JoySafeter

打开 GitHub 仓库查看创作者相关仓库

下载

在 Manus 中运行

Pentest Race Conditions

Purpose

Exploit applications that fail to handle concurrent requests atomically — enabling double-spend, limit bypass, privilege escalation through parallel requests. Absent from standard WSTG categories but critical in real-world assessments.

Prerequisites

Authorization Requirements

Written authorization with explicit scope for concurrency testing
Test accounts with balances, quotas, or limited-use resources
Rollback plan for financial or state-mutating operations
Rate limit awareness — confirm acceptable burst volume with target owner

Environment Setup

Burp Suite Professional with Turbo Intruder extension
Python 3.x with asyncio/aiohttp for parallel request scripting
GNU parallel or xargs for shell-based concurrency
Multiple authenticated sessions (separate cookies/tokens)

Core Workflow

Target Identification: Identify race-prone operations — balance transfers, coupon redemption, inventory purchase, vote/like systems, token generation, file operations.
Single-Endpoint Races: Send N identical requests simultaneously to bypass "one per user" limits, duplicate transactions (limit-overrun).
Multi-Endpoint TOCTOU: Exploit time gap between check and use — validate coupon then apply coupon, check balance then debit.
Session-Level Races: Parallel password change + session refresh, simultaneous role change + action execution.
Database-Level Races: Exploit missing row-level locks, test optimistic vs pessimistic concurrency, trigger deadlocks.
Timing Synchronization: Use single-packet attack technique (Turbo Intruder) to synchronize requests within microseconds.
Impact Documentation: Document financial/operational impact with precise reproduction steps and timing requirements.

Tool Categories

Category	Tools	Purpose
Timing Attacks	Turbo Intruder, race-the-web	Microsecond-synchronized parallel requests
Async Scripting	Python asyncio/aiohttp, httpx	Custom race condition scripts
Shell Concurrency	GNU parallel, xargs, curl	Quick parallel request testing
Proxy Analysis	Burp Suite Repeater	Request replay and timing observation
Database Monitoring	pg_stat_activity, SHOW PROCESSLIST	Observe lock contention and deadlocks

References

references/tools.md - Tool function signatures and parameters
references/workflows.md - Attack pattern definitions and test vectors

同仓库更多 Skills

同仓库

skill-creator

jd-opensource/JoySafeter

Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends an agent's capabilities with specialized knowledge, workflows, or tool integrations.

2026-03-26284

openclaw-security-checker

jd-opensource/JoySafeter

OpenClaw 安全检测工具，基于安全实践指南验证配置安全、权限隔离、网络策略、日志审计和运行时完整性

2026-03-13284

openclaw-threat-detect

jd-opensource/JoySafeter

OpenClaw 攻击模式检测工具，识别数据外传、反弹Shell、文件泄露、Prompt注入、供应链投毒等高危行为，支持 MITRE ATT&CK 映射

2026-03-13284

skill-security-auditor

jd-opensource/JoySafeter

OpenClaw Skills 全方位安全审计工具，检测供应链投毒、Prompt注入、恶意代码模式、权限越权和依赖风险

2026-03-13284

planning-with-files

jd-opensource/JoySafeter

Implements Manus-style file-based planning for complex tasks. Creates task_plan.md, findings.md, and progress.md. Use when starting complex multi-step tasks, research projects, or any task requiring >5 tool calls. Now with automatic session recovery after /clear.

2026-02-13284

pentest-ai-llm-security

jd-opensource/JoySafeter

AI/LLM application security testing — prompt injection, jailbreaking, data exfiltration, and insecure output handling per OWASP LLM Top 10.

2026-02-11284

name	pentest-race-conditions
description	Concurrency exploitation — race conditions, TOCTOU vulnerabilities, and parallel request abuse in web applications.

Pentest Race Conditions

Purpose

Prerequisites

Authorization Requirements

Written authorization with explicit scope for concurrency testing
Test accounts with balances, quotas, or limited-use resources
Rollback plan for financial or state-mutating operations
Rate limit awareness — confirm acceptable burst volume with target owner

Environment Setup

Burp Suite Professional with Turbo Intruder extension
Python 3.x with asyncio/aiohttp for parallel request scripting
GNU parallel or xargs for shell-based concurrency
Multiple authenticated sessions (separate cookies/tokens)

Core Workflow

Target Identification: Identify race-prone operations — balance transfers, coupon redemption, inventory purchase, vote/like systems, token generation, file operations.
Single-Endpoint Races: Send N identical requests simultaneously to bypass "one per user" limits, duplicate transactions (limit-overrun).
Multi-Endpoint TOCTOU: Exploit time gap between check and use — validate coupon then apply coupon, check balance then debit.
Session-Level Races: Parallel password change + session refresh, simultaneous role change + action execution.
Database-Level Races: Exploit missing row-level locks, test optimistic vs pessimistic concurrency, trigger deadlocks.
Timing Synchronization: Use single-packet attack technique (Turbo Intruder) to synchronize requests within microseconds.
Impact Documentation: Document financial/operational impact with precise reproduction steps and timing requirements.

Tool Categories

Category	Tools	Purpose
Timing Attacks	Turbo Intruder, race-the-web	Microsecond-synchronized parallel requests
Async Scripting	Python asyncio/aiohttp, httpx	Custom race condition scripts
Shell Concurrency	GNU parallel, xargs, curl	Quick parallel request testing
Proxy Analysis	Burp Suite Repeater	Request replay and timing observation
Database Monitoring	pg_stat_activity, SHOW PROCESSLIST	Observe lock contention and deadlocks

References

references/tools.md - Tool function signatures and parameters
references/workflows.md - Attack pattern definitions and test vectors