Tactical Race Exploitation & Concurrency Orchestrator
A specialized framework for identifying and exploiting race condition vulnerabilities in HTTP APIs with sub-microsecond precision.
Documentation | PyPI Package | Quick Start | Examples
TRECO enables security researchers to orchestrate highly precise concurrent HTTP attacks with sub-microsecond timing accuracy, making it possible to reliably trigger race conditions in web applications. Built for both Python 3.10+ (with GIL) and Python 3.14t (GIL-free), TRECO achieves unprecedented timing precision for race condition exploitation.
- π° Double-spending attacks - Payment processing vulnerabilities
- π Fund redemption exploits - Gift cards and coupon abuse
- π¦ Inventory manipulation - Limited stock bypasses
- π Privilege escalation - Authentication/authorization flaws
- β‘ Rate limiting bypasses - API quota exhaustion
- ποΈ Voucher abuse - Single-use code reuse
- π¦ TOCTOU vulnerabilities - Time-of-Check to Time-of-Use exploits
- β‘ Sub-Microsecond Precision: Race windows < 1ΞΌs with barrier synchronization
- π GIL-Free Option: Python 3.14t for true parallel execution
- π Flexible Synchronization: Barrier, countdown latch, and semaphore mechanisms
- π Full HTTP/HTTPS Support: HTTP/1.1 and HTTP/2 with TLS/SSL
- π¨ Powerful Templates: Jinja2-based with TOTP, hashing, env vars, and more
- π― Dynamic Input Sources: Brute-force, enumeration, and combination attacks
- π Automatic Analysis: Race window calculation and vulnerability detection
- π Extensible Architecture: Plugin-based extractors and connection strategies
- β JSON Schema Validation: IDE integration and real-time validation
# Install from PyPI
pip install treco-framework
# Or with uv (faster)
uv pip install treco-framework
# Verify installation
treco --versionCreate a file test.yaml:
metadata:
name: "Race Condition Test"
version: "1.0"
author: "Security Researcher"
vulnerability: "CWE-362"
target:
host: "api.example.com"
port: 443
tls:
enabled: true
entrypoint:
state: race_attack
input:
voucher_code: "DISCOUNT50"
states:
race_attack:
description: "Test voucher race condition"
race:
threads: 20
sync_mechanism: barrier
connection_strategy: preconnect
request: |
POST /api/vouchers/redeem HTTP/1.1
Host: {{ target.host }}
Content-Type: application/json
{"code": "{{ voucher_code }}"}
next:
- on_status: 200
goto: end
end:
description: "Attack completed"Run the test:
treco test.yamlFor detailed documentation, please visit treco.readthedocs.io:
- Installation Guide - Complete installation instructions for all platforms
- Quick Start Tutorial - Your first race condition test in 5 minutes
- Configuration Reference - Complete YAML configuration guide
- Synchronization Mechanisms - Barrier, latch, and semaphore patterns
- Connection Strategies - Preconnect, pooled, lazy, and multiplexed
- Data Extractors - JSONPath, XPath, Regex, and more
- Template Engine - Jinja2 syntax and custom filters
- Examples - Real-world attack scenarios
- CLI Reference - Command-line options
- API Documentation - Python API for programmatic use
- Troubleshooting - Common issues and solutions
- Best Practices - Performance optimization and security
Check out the examples/ directory for real-world attack scenarios:
- PortSwigger Labs - Solutions for Web Security Academy challenges
- Racing Bank - Fund redemption attack demonstration
- Input Sources - Brute-force and enumeration examples
- JWT Analysis - JWT vulnerability testing
- Rate Limit Detection - API rate limiting bypass
- Error Detection - Error-based race conditions
Python 3.14t removes the Global Interpreter Lock (GIL) for true parallelism:
| Feature | Python 3.10-3.13 (GIL) | Python 3.14t (GIL-Free) |
|---|---|---|
| True Parallelism | β Single thread at a time | β Multiple threads simultaneously |
| Race Window | ~10-100ΞΌs | < 1ΞΌs (sub-microsecond) |
| CPU Utilization | Limited by GIL | Full multi-core usage |
| Consistency | Variable timing | Highly consistent |
| Best for TRECO | Good | Excellent |
Note: TRECO works with both Python 3.10+ and 3.14t, but achieves optimal performance with 3.14t's free-threaded build.
Install Python 3.14t:
uv python install 3.14t
uv pip install treco-framework --python 3.14tContributions are welcome! Please see our Contributing Guide for details.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'feat: add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
If you find TRECO useful, please consider supporting its development:
Your support helps maintain and improve TRECO for the security research community.
TRECO is released under the MIT License. See LICENSE for details.
TRECO is designed for authorized security testing. You must:
- β Obtain written authorization before testing
- β Test only within agreed scope and boundaries
- β Comply with all applicable laws and regulations
- β Report vulnerabilities responsibly
Unauthorized testing may result in criminal prosecution and civil liability.
Users are solely responsible for ensuring their use complies with applicable laws, regulations, and agreements.
- TREM - The project that inspired TRECO
- Python Community - For Python 3.14t free-threaded build
- httpx, Jinja2, PyYAML, PyOTP - Essential libraries
- Security Community - Researchers and contributors who make this possible
- π Documentation: treco.readthedocs.io
- π¬ GitHub Discussions: github.com/maycon/TRECO/discussions
- π GitHub Issues: github.com/maycon/TRECO/issues
Made with β€οΈ by security researchers, for security researchers
β Star on GitHub | π Documentation | π Report Bug | π‘ Request Feature