mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
This commit is contained in:
@@ -0,0 +1,84 @@
|
||||
# API Reference: Race Condition Vulnerability Testing
|
||||
|
||||
## Types of Race Conditions
|
||||
|
||||
| Type | Description | Example |
|
||||
|------|-------------|---------|
|
||||
| TOCTOU | Time-of-check to time-of-use | Balance check then debit |
|
||||
| Double-spend | Multiple withdrawals before balance update | Gift card reuse |
|
||||
| Limit bypass | Concurrent requests bypass rate limits | Coupon reuse |
|
||||
| State mutation | Concurrent writes corrupt state | Inventory overselling |
|
||||
|
||||
## Python Threading for Concurrent Requests
|
||||
|
||||
### Barrier Synchronization
|
||||
```python
|
||||
import threading
|
||||
barrier = threading.Barrier(10)
|
||||
|
||||
def worker():
|
||||
barrier.wait() # All threads release simultaneously
|
||||
requests.post(url, json=data)
|
||||
|
||||
threads = [threading.Thread(target=worker) for _ in range(10)]
|
||||
for t in threads: t.start()
|
||||
for t in threads: t.join()
|
||||
```
|
||||
|
||||
## Turbo Intruder (Burp Suite)
|
||||
|
||||
### Race Condition Script
|
||||
```python
|
||||
def queueRequests(target, wordlists):
|
||||
engine = RequestEngine(endpoint=target.endpoint,
|
||||
concurrentConnections=30,
|
||||
requestsPerConnection=100,
|
||||
pipeline=False)
|
||||
for i in range(30):
|
||||
engine.queue(target.req)
|
||||
|
||||
def handleResponse(req, interesting):
|
||||
table.add(req)
|
||||
```
|
||||
|
||||
## HTTP/2 Single-Packet Attack
|
||||
|
||||
### Concept
|
||||
Send multiple requests in a single TCP packet using HTTP/2 multiplexing
|
||||
to eliminate network jitter and maximize race window.
|
||||
|
||||
### curl Example
|
||||
```bash
|
||||
# Send 10 requests simultaneously via HTTP/2
|
||||
for i in $(seq 1 10); do
|
||||
curl -X POST https://target/api/redeem \
|
||||
-H "Content-Type: application/json" \
|
||||
-d '{"coupon": "SAVE50"}' &
|
||||
done
|
||||
wait
|
||||
```
|
||||
|
||||
## Analysis Indicators
|
||||
|
||||
| Indicator | Meaning |
|
||||
|-----------|---------|
|
||||
| Multiple 200 responses | Operation executed multiple times |
|
||||
| Different response bodies | State changed between requests |
|
||||
| Mixed status codes | Inconsistent handling |
|
||||
|
||||
## Common Vulnerable Operations
|
||||
|
||||
| Operation | Impact |
|
||||
|-----------|--------|
|
||||
| Coupon/voucher redemption | Financial loss |
|
||||
| Money transfer | Double-spend |
|
||||
| Like/vote submission | Manipulation |
|
||||
| Account creation | Duplicate accounts |
|
||||
| File upload | Overwrite race |
|
||||
|
||||
## Remediation
|
||||
1. Use database-level locking (`SELECT ... FOR UPDATE`)
|
||||
2. Implement idempotency keys
|
||||
3. Use atomic operations (e.g., `UPDATE balance = balance - X WHERE balance >= X`)
|
||||
4. Apply distributed locks (Redis SETNX)
|
||||
5. Implement optimistic concurrency (version fields)
|
||||
Reference in New Issue
Block a user