For too long, web racecondition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples. In this session, I'll introduce multiple new classes of race condition that go far beyond the limitoverrun exploits you're probably already familiar with.

Inside every website lurks a state machine: a delicately balanced system of states and transitions that each user, session, and object can flow through. I'll show how to fire salvos of conflicting inputs at highprofile websites to make state machines collapse, enabling you to forge trusted data, misroute tokens, and mask backdoors.

To handle this explosion of attack surface, I'll share a polished methodology designed to help you eke out subtle telltale clues and scent blood long before sacrificing anything to the RNG gods. I've also taken lore amassed over years of research into HTTP Desync Attacks and developed a strategy that can squeeze 30 requests sent from Melbourne to Dublin into a sub1ms execution window. Alongside the open source tool, we'll also release free online labs so you can try out your new skillset immediately.