How would you design a test strategy to identify such concurrency issues in API testing? What tools or approaches would you use to simulate simultaneous requests? How would you verify the integrity of the transactions?

Scenario:
You are testing a payment gateway API that handles financial transactions. The API is supposed to ensure that funds are transferred only if the user’s account balance is sufficient. During testing, you notice the following issue:

When two simultaneous requests are made from two different devices for the same transaction (e.g., withdrawing â‚ą10,000), the API processes both requests and deducts â‚ą20,000, even though the account balance is only â‚ą15,000.

3 Likes

On the developer, unit testing side, that might depend on what tools are available to the given programming language / tech stack.

I’m wondering whether the scenario could be properly (and easily) mocked/simulated for testing in unit tests.

On the QA system level testing, I can only think you would use API or load test tools and just replicate those requests with whatever concurrency feature available from the tools used, or in some cases, might have to code the concurrency in using scripting/programming language with the tool if not natively offered.

The given scenario sounds like a race condition bug and possible oversight in handling uniqueness of transaction (basing on amount rather than say a transaction ID associated to each request).

I don’t think race conditions are easy to test and simulate for, but I could be mistaken.

1 Like

@ramanan Awsum question :clap:

I just want to express that you question is a perfect example of race condition and to avoid it please incorporate synchronization in your tech architecture.
Please refer O’Reilly book.
link - Operating Systems in Depth[Book]

You will get to know some insights on how to avoid race conditions in architecture.

Hope this helps.

:v:

1 Like

While it is best to optimize the code (under test) to avoid/prevent race conditions, this post is good question to pose to the community regarding how might we test/trigger/simulate race conditions from a system level of testing, regardless of how well written or tested the underyling code is. A very specific and niche area of testing.

1 Like

This is called a race condition vulnerability. (as some mentioned above)
You can easily test this with burpsuite and send a race condition request (parallel requests) out.

If you want to read more about it: Race conditions | Web Security Academy

They are easy to test :stuck_out_tongue: (if you know how)
There are some labs where you can practice this also if you’d like.
There can be single requests race conditions or multi requests race conditions.

Here’s a nice guide: New techniques and tools for web race conditions | Blog - PortSwigger

2 Likes