Sitemap
Open in app

Sign in

Medium Logo
Write

Sign in

Race Condition 101: How I Exploited a Real Bug Bounty Scenario to Break Backend Validation

Kerolos Ayman
3 min readJun 24, 2025

--

Hello again guys

First, I’m Kerolos Ayman — Bug Bounty Hunter and CTF player.

Today, I’m going to share a real-world bug bounty experience where I discovered a subtle but impactful race condition vulnerability.

What is a race condition?

A race condition occurs when the outcome of a process depends on the unpredictable order in which multiple threads or processes access and modify shared resources. This can lead to unexpected and potentially erroneous results, or even security vulnerabilities. Essentially, it’s a “race” to access a resource, and the order in which they arrive determines the outcome.

Race conditions can result in:

  • Duplicate resource creation
  • Bypassing business logic validation
  • Unexpected privilege escalation
  • Data corruption or leakage

It’s important to note that when testing for race conditions, the success rate of your concurrent requests can vary greatly depending on the target application’s infrastructure, backend implementation, and how quickly it processes requests.
For example:
On one target, out of 10 concurrent requests, you might get 3 or 4 to succeed. On another, all 10 might go through — or none at all. It’s unpredictable, and that’s part of what makes race condition hunting both challenging and interesting.

Let’s assume the target is example.com

While testing the event creation functionality on example.com, I noticed the following behavior:

  • When creating a new event, the application asked for an event name.
  • If the name already existed, the frontend would display a message:
    “That name is already taken. Please choose a different name.”

This made me wonder:
What happens if I send multiple requests at the same time, before the backend finishes validating and locking the name?

Exploitation Method

I decided to test for a simple race condition using Burp Suite Repeater — You can use Turbo Intruder extension too. Here’s the exact process I followed:

  1. Login to my account
  2. Navigated to the event creation page.
  3. Chose a unique, unlikely-to-exist name:
    KeroTest9999999990000000
  4. Captured the POST request in Burp Suite and send it to Burp Repeater.
  5. Made 11 identical requests using Burp Repeater, put them in a group and sent them in parallel (single — packet attack).
  6. Checked the events list page.

To my surprise — 3 out of 11 requests succeeded in creating events with the exact same name.

Burp Repeater
poc

Results

  • The application’s frontend validation was bypassed.
  • The backend failed to enforce the unique constraint when handling concurrent requests.
  • Multiple events with the same name now appeared in the events list.

I submitted the report and got triaged alhamdalalah.

Also same idea in another target and got duplicate to trigaed

If you reach to here so, thanks so much for reading.

My Linkedin account: https://www.linkedin.com/in/kerolos-ayman-19a569255

My X (Twitter previously) account: https://x.com/Kerolos700

My channels on Telegram:
https://t.me/CyberSecurityforall24

https://t.me/cybersecurityforall77

Bug Bounty
Bug Bounty Tips
Bug Bounty Writeup

--

--

Kerolos Ayman
Kerolos Ayman

Written by Kerolos Ayman

299 followers
185 following

Bug Hunter || Junior Penetration Tester || CTF Player

Responses (2)

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech