What it does

This skill provides a practical workflow for testing web endpoints for race-condition vulnerabilities by launching controlled concurrent requests against stateful operations (coupon redemption, balance debit, order placement, OTP verification). It walks the agent through identifying likely targets, crafting request payloads, executing synchronized bursts (using curl + GNU parallel), and analysing response patterns and server-side state to determine if multiple requests were erroneously accepted.

When to use it

Use this skill during security assessments, bug-bounty triage, or QA when you suspect non-atomic operations: promo code redemption, gift-credit spending, inventory decrement on purchase, OTP/token verification, or rate-limited sensitive actions. It helps confirm TOCTOU, double-spend, and limit-overrun weaknesses.

What's included

Scripts: none bundled (has_scripts=false) — procedural shell examples are provided in the skill body
References: none included in repo (has_references=false)
Instructions: step-by-step guidance to identify targets, set concurrency parameters, run GNU parallel bursts, aggregate responses, and verify server state via read endpoints. Also includes detection heuristics and failure modes.