Application Security · Learn

What is a race condition?

A race condition lets an attacker exploit the tiny window between an application checking something and acting on it, sending many requests at once to break the rules. Here is what it is and how to prevent it.

Application Security · LearnApplication Penetration Testing
TL;DR

A race condition is a vulnerability where the outcome depends on the timing of concurrent operations, and an attacker exploits the gap between a check and the action (a "time-of-check to time-of-use" flaw) by sending many requests simultaneously. This lets them do things once-only logic should prevent: redeem a coupon multiple times, withdraw more than a balance, or bypass a limit. The fix is making the critical operation atomic with database constraints, locks, or transactions.

By Shubham Khandare, Delivery Manager, SecureLayer7Updated

What a race condition is

Web requests run concurrently. A race condition exists when an application checks a condition and then acts on it as two separate steps, assuming nothing changes in between.

An attacker who fires many requests at the same instant can slip multiple actions into that gap before the state updates. The classic shape is time-of-check to time-of-use (TOCTOU): the app verifies a balance or a one-time flag, but several requests pass the check before any of them updates it.

How it works and example

The attacker sends a burst of identical requests timed to arrive together:

  • Redeem a single-use coupon many times: 50 simultaneous redeem requests all pass the "unused?" check before the first marks it used.
  • Overdraw a balance: parallel withdrawals each see the original balance.
  • Bypass a rate or quantity limit by racing past the counter update.
  • Modern tooling sends requests in a single packet to minimise timing jitter.

Examples shown for defensive context.

How to fix it

  • Make critical operations atomic: enforce uniqueness and limits at the database (unique constraints, conditional updates like UPDATE ... WHERE balance >= amount).
  • Use locking or transactions so a check and its action cannot be split by concurrency.
  • Avoid read-then-write logic in application code for limited resources.
  • Idempotency keys for operations that must happen once.
  • Test sensitive endpoints with concurrent/parallel requests, not just sequential ones.

References

  1. [1]OWASP Web Security Testing Guide(OWASP)
  2. [2]MITRE CWE-362: Concurrent Execution using Shared Resource (Race Condition)(MITRE CWE)
  3. [3]OWASP Top 10(OWASP)
Related terms

Common questions

Race conditions, asked often

Want your application tested for this?

Scope an engagement

Test your application for race conditions and 30+ other classes.

Our application penetration test is manual, evidence-led, and built so your developers can reproduce and fix every finding. Each engagement ships with proof-of-exploit and a free re-test.

See the methodology30-min scoping call, fixed-price proposal in 48 hours.