BIPI
BIPI

Race Condition Vulnerabilities: TOCTOU, Single-Packet Attacks, HTTP/2

Cybersecurity

How to find and exploit race conditions with single-packet attacks, Turbo Intruder, and HTTP/2 multiplexing in real-world web apps.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 20, 2024 · 11 min read

#race-conditions#pentesting#http/2#turbo-intruder

James Kettle single-packet attack research changed the race condition game in 2023. By the time 2024 engagements roll around, TOCTOU bugs in payments, coupons, withdrawals, and 2FA reset flows are landing payouts that used to require lucky timing.

Classes of Race Conditions

  • Limit overrun: redeem a one-time coupon 50 times in parallel
  • Time-of-check to time-of-use on balance checks before withdrawal
  • State machine bypass: cancel and confirm simultaneously
  • MFA bypass via parallel verification attempts
  • File system TOCTOU between stat and open in upload handlers

The Single-Packet Attack

Network jitter used to spoil races. The single-packet attack queues 20 plus HTTP/2 requests so the last bytes ship in a single TCP packet, removing client-side variance. The server processes all requests within microseconds of each other.

Identifying Candidate Endpoints

  1. Anything that decrements a counter: coupons, gift cards, inventory
  2. Wallet, withdrawal, and transfer endpoints
  3. Account creation flows that check email uniqueness
  4. Permission grants and role assignments
  5. Token redemption: invitations, password resets, magic links

Crafting the Attack in Turbo Intruder

Set concurrentConnections to 1 and requestsPerConnection to 30, then queue 30 identical requests with openGate and start. Compare success counts against single-request baselines to confirm the race window.

HTTP/2 Specific Tricks

  • Multiplexing lets you send dozens of requests on one connection with negligible spacing
  • Header compression with HPACK reduces last-byte timing variance
  • Test both h2 and h2c when reverse proxies are in play
  • Some WAFs rate limit per connection, which the single-packet attack sidesteps
Rate limits keyed on connection or per-request budgets break against multiplexed bursts. Key on user, action, and time window instead.

Real World Patterns

We have seen single-packet attacks unlock duplicate cashback claims, double-spend gift cards, and bypass 2FA by submitting the correct OTP and an empty value at the same time when the server stored the last value seen. Always test what happens when two valid requests collide and what the database constraint catches versus what the application logic catches.

Remediation

  1. Use database transactions with SELECT FOR UPDATE on critical rows
  2. Apply unique constraints that enforce business invariants
  3. Idempotency keys for all state-changing endpoints
  4. Distributed locks (Redis Redlock, Postgres advisory locks) where transactions cannot reach
  5. Rate limit per user and per resource, not per connection
20-30
concurrent requests for typical single-packet attacks
1ms
server-side processing window targeted
CVE-2023-46604
ActiveMQ race-adjacent class to study

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.