Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more
Looking for our research? We've moved it to a dedicated page
Research Academy
My account Customers About Blog Careers Legal Contact Resellers

New techniques and tools for web race conditions

Emma Stocks | 10 August 2023 at 06:56 UTC
Burp Suite burp featured Black Hat

For too long, web race-condition attacks have focused on a tiny handful of scenarios. Testing for them is inherently unreliable, compounded by known challenges relating to time constraints and network jitter.

The latest work from PortSwigger Research

Debuted at Black Hat USA '23 and DEF CON 31, PortSwigger Research's James Kettle presents "Smashing the state machine: the true potential of web race conditions". This presentation introduces multiple new classes of web race condition, that go far beyond limit-overrun exploits and expose previously overlooked attack surface.

Delve into PortSwigger's latest research, to uncover the true potential of race conditions.

Recordings of the presentations from both Black Hat USA 2023 and DEF CON 31 will be available in the coming months, and will be publicly accessible from PortSwigger Research when published.


Testing for, and exploiting, web race conditions with Burp Suite

The true potential of web race conditions has long been masked, thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples.

PortSwigger Research's latest work also unveils the single-packet attack, a technique that nullifies network jitter and enables you to send multiple requests in parallel within a 1ms time window. Find the new tooling in Burp Repeater, to experiment with a more reliable testing method that can make race conditions more easily discoverable.

The new single-packet attack capability, when sending requests over HTTP/2+, can also be performed with the updated version of James Kettle's Turbo Intruder BApp extension.

Upgrade to the latest version of Burp Suite Professional (and Burp Suite Community Edition) to access the newly released tooling.

Try out the new exploit techniques

Translating often complex, theoretical knowledge and techniques into usable, practical skills can be challenging, made more difficult by the continually evolving threat landscape of the modern web. That includes the multiple new classes of race condition introduced by PortSwigger Research, and the accompanying single-packet attack capability.


Try working through the new Web Security Academy topic to learn how to discover and exploit the more commonplace limit-overrun race conditions you might already be familiar with. Then, delve into the multiple new classes of web race condition and discover how to effectively test the newly uncovered attack surface with Burp Suite.

Visit the Web Security Academy to get started.

Burp Suite burp featured Black Hat
Emma Stocks

Emma Stocks

Latest Posts

Burp Suite Enterprise Edition in the Cloud

18 April 2024 Burp Suite Enterprise Edition in the Cloud

What's new with BChecks?

08 February 2024 What's new with BChecks?

Introducing custom scan checks to Burp Suite Enterprise Edition

02 February 2024 Introducing custom scan checks to Burp Suite Enterprise Edition

Related stories

Security done right

The infosec industry wins of 2022 30 December 2022 Security done right The infosec industry wins of 2022

Black Hat Europe redux

The top web hacking talks for 2022 12 December 2022 Black Hat Europe redux The top web hacking talks for 2022

Black Hat Europe 2022

Hacking tools showcased at annual security conference 12 December 2022 Black Hat Europe 2022 Hacking tools showcased at annual security conference

JSON syntax hack allowed SQLi payloads to sneak past WAFs

09 December 2022 JSON syntax hack allowed SQLi payloads to sneak past WAFs Five vendors act to thwart generic hack