Skip to content
Fast-turnaround security assessments available — 10+ years development & security experienceGet started
Back to Glossary
Glossary2 min read

Race Condition

A vulnerability that occurs when the outcome of an operation depends on the timing or sequence of uncontrolled events, allowing attackers to exploit the gap.

A race condition is a vulnerability that arises when a system's behavior depends on the sequence or timing of events that are not properly controlled. In web applications, race conditions occur when multiple requests can interact with shared state simultaneously, creating a window where an attacker can manipulate the outcome by precisely timing their requests.

How It Works

Race conditions exploit the gap between a check and a subsequent action, known as a time-of-check to time-of-use (TOCTOU) vulnerability. Consider a funds transfer operation that first checks the account balance, then deducts the amount. If an attacker sends multiple simultaneous transfer requests, all of them might pass the balance check before any deduction is applied, allowing the attacker to transfer more money than the account holds.

In web applications, race conditions commonly affect discount codes, reward redemptions, file uploads, and any operation that should only succeed once. An attacker sends dozens of identical requests simultaneously, exploiting the fact that the application checks a condition and then updates the state in separate operations rather than as an atomic transaction. By the time the state is updated from the first request, all other concurrent requests have already passed the check.

The single-packet attack technique has made race conditions more practical to exploit. By sending multiple HTTP requests in a single TCP packet, an attacker ensures they arrive at the server simultaneously, maximizing the chance that they are processed concurrently. This technique bypasses network jitter that would normally spread requests across different processing windows, making race condition exploitation reliable rather than probabilistic.

Why It Matters

Race conditions are frequently overlooked during development because they do not manifest during normal single-user testing. They require concurrent access to trigger, which standard functional testing rarely simulates. Security assessments that specifically test for race conditions often uncover critical business logic flaws in financial operations, coupon systems, voting mechanisms, and one-time-use features. Proper remediation requires atomic operations, database-level locking, or idempotency controls.

Need your application tested? Get in touch.

Related terms

Privilege EscalationRate LimitingSession Management

Go deeper

Read full article

Need your application tested?

We find these vulnerabilities in real applications every day.

Request an Assessment