Academy

Module 16 Β· Race Conditions in Web Apps πŸ”’

Manish Garg
Manish Garg Associate CISSP Β· RingSafe
April 22, 2026
4 min read

Race conditions in web apps occur when two requests, processed concurrently, produce a state that neither would alone. Classic TOCTOU (time-of-check-to-time-of-use) bugs. They turn “redeem this coupon once” into “redeem 50 times if you fire 50 requests at the same instant.” James Kettle’s research on single-packet attacks (2023) made these exploitable at high reliability. This module covers detection, exploitation, and defense.

The classic pattern

# Pseudocode of a vulnerable coupon-redeem endpoint
def redeem(user_id, coupon_code):
    coupon = db.query("SELECT * FROM coupons WHERE code=?", coupon_code)
    if coupon.redeemed_count >= coupon.max_uses:
        return "expired"

    # ... business logic ...
    user.balance += coupon.value
    db.execute("UPDATE coupons SET redeemed_count = redeemed_count + 1 WHERE code=?", coupon_code)
    db.execute("UPDATE users SET balance=? WHERE id=?", user.balance, user_id)

Two requests arrive concurrently. Both pass the redeemed_count < max_uses check before either UPDATE runs. Both increment balance. Coupon redeemed twice, money credited twice.

Where they hide

  • Promo code redemption
  • Withdrawal / transfer endpoints (double-spend)
  • Rate-limiter increment (race past the limit)
  • 2FA verification (race to bypass)
  • Account creation with uniqueness check
  • One-time-use tokens
  • Voting / liking systems
  • Cart / checkout flows that re-validate inventory

The single-packet attack

James Kettle showed that with HTTP/2, you can send the last byte of multiple requests in a single TCP packet. The server processes them in nearly-perfect parallel β€” the timing window opens microseconds wide.

Tools:

πŸ” Advanced Module Β· Pro Tier

Continue reading with Pro tier (β‚Ή4,999/year)

You've read 29% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.

136+ modulesAll levels up to this tier
20-question quizzesUnlimited retries with explanations
Completion certificatesShareable on LinkedIn
7 more sections locked below