Metadata-Version: 2.4
Name: ptmultirequest
Version: 0.0.1
Summary: Tool for synchronized multi-request race-condition checks
Home-page: https://www.penterep.com/
Author: Penterep
Author-email: info@penterep.com
License: GPLv3
Project-URL: homepage, https://www.penterep.com/
Project-URL: repository, https://github.com/penterep/ptmultirequest
Project-URL: tracker, https://github.com/penterep/ptmultirequest/issues
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Environment :: Console
Classifier: Topic :: Security
Classifier: License :: OSI Approved :: GNU General Public License v3 (GPLv3)
Requires-Python: >=3.12
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: ptlibs<2,>=1.0.37
Dynamic: author
Dynamic: author-email
Dynamic: classifier
Dynamic: description
Dynamic: description-content-type
Dynamic: home-page
Dynamic: license
Dynamic: license-file
Dynamic: project-url
Dynamic: requires-dist
Dynamic: requires-python
Dynamic: summary

[![penterepTools](https://www.penterep.com/external/penterepToolsLogo.png)](https://www.penterep.com/)

## ptmultirequest — Race Condition Tester

`ptmultirequest` sends two or more identical HTTP requests at the exact same moment
to help identify race condition vulnerabilities.

## Use cases

- Can a user make two payments simultaneously when balance allows only one?
- Can two accounts be registered with the same login at the exact same time?

## How it works

All requests are dispatched in parallel threads synchronized by a barrier —
every thread waits until all are ready, then fires at once.

Responses are compared across all requests:

| Field | What is checked |
|---|---|
| Status code | Are all responses the same HTTP status? |
| Response length | Does content length differ between responses? |
| Page title | Does the HTML `<title>` differ? |
| Keywords | Are `error`, `warning`, `notice`, or `sql` present in any response? |

Any difference may indicate a race condition — manual review is always recommended.

## Installation

```
pip install ptmultirequest
```

## Usage

```
ptmultirequest -u https://example.com/pay -c 2
ptmultirequest -u https://example.com/register -d "login=admin" -c 2
ptmultirequest --request-file ./request.txt -c 5
```

## Options

| Flag | Description |
|---|---|
| `-u`, `--url <url>` | Target URL |
| `-d`, `--data <post-data>` | POST body (switches method to POST) |
| `--request-file <file\|base64>` | Raw HTTP request from file or base64 |
| `-c`, `--count <n>` | Number of synchronized requests (default: `2`) |
| `-p`, `--proxy <proxy>` | Proxy URL (e.g. `http://127.0.0.1:8080`) |
| `-T`, `--timeout <seconds>` | Request timeout (default: `10`) |
| `--cookie <cookie>` | Cookie header |
| `-a`, `--user-agent <agent>` | User-Agent header |
| `-H`, `--headers <header:value>` | Additional custom headers |
| `-r`, `--redirects` | Follow redirects |
| `-j`, `--json` | Output results as JSON |
| `-v`, `--version` | Show version |
| `-h`, `--help` | Show help |

## Dependencies

- [`ptlibs`](https://github.com/penterep/ptlibs)

## License

Copyright (c) 2026 Penterep Security s.r.o.

`ptmultirequest` is free software licensed under the [GNU General Public License v3.0](https://www.gnu.org/licenses/gpl-3.0.en.html) or later.

## Legal notice

Only run this tool against targets you are explicitly authorized to test.
Penterep bears no responsibility for unauthorized or malicious use. **Be ethical.**
