AppSecNotes
Race Conditions
  1. Look for async operations such as email changes, applying coupons and cart checkouts.
  2. Try Limit Overrun: multiple duplicated parallel requests. E.g. Applying a gift card or coupon or withdrawing/transferring money.
  3. Try Single-Endpoint Race Condition: parallel requests to the same endpoint with different payloads. E.g. real email change to valid email and email change to another user email to see if we are able to change our email to the one from the other user.
  4. Try Multiple-Endpoint Race Conditions: parallel requests to 2 different endpoints. E.g. add something cheap to the cart (just to have something there as the starting point) and then do some parallel requests: checkout of the cheap item and at the same time plenty of other requests to add more items to the cart to see if we can also buy them for the price of the cheap item.