Race Condition

A race condition occurs when a system's behavior depends on the sequence or timing of uncontrollable events, and attackers can exploit this timing dependency. In web applications, race conditions often manifest as Time-of-Check to Time-of-Use (TOCTOU) vulnerabilities, where a security check and the subsequent action are not atomic.

Common examples include: exploiting checkout flows to purchase items at zero cost, bypassing rate limits by sending concurrent requests, claiming the same promotional code multiple times, or transferring funds that exceed an account balance by submitting parallel transfer requests before the balance is updated.

Race conditions are notoriously difficult to detect because they're timing-dependent and may not manifest in normal sequential testing. They require sending multiple concurrent requests with precise timing, which traditional security scanners rarely do effectively.

How APVISO tests for this: APVISO's scanner agent sends concurrent requests to state-changing endpoints (payments, transfers, coupon redemptions, account updates) to identify race conditions. It varies timing and concurrency levels to detect TOCTOU vulnerabilities in critical business logic.