racepwn — Exploitation | Tools

Description

racepwn is a framework for exploiting race conditions in web applications. It sends concurrent requests to trigger time-of-check to time-of-use (TOCTOU) bugs. Useful for testing coupon systems, balance transfers, and rate-limited endpoints.

Installation

BASH

go install github.com/racepwn/racepwn@latest

Basic Usage

                        BASH
                        
                    

                            # Configure race condition test
racepwn -len 100 -req request.txt

# request.txt format (raw HTTP):
# POST /api/transfer HTTP/1.1
# Host: target.com
# Content-Type: application/json
# Cookie: session=abc123
#
# {"amount": 100, "to": "attacker"}
                        

Advanced Usage

BASH

                            # Custom number of concurrent requests
racepwn -len 200 -req request.txt

# Custom target
racepwn -len 100 -req request.txt -target https://target.com
                        

Common Race Condition Targets

                        TEXT
                        
                    

                            # Financial operations (double-spend)
# Coupon/voucher redemption
# Account creation (bypass duplicate checks)
# File upload (overwrite race)
# OTP validation (bypass rate limiting)
# Voting/rating systems
# Inventory/stock checks
                        