QUIC-er Races: HTTP/3 won’t save you from TOCTOU vulnerabilities
摘要
Race conditions in web applications represent a persistent class of vulnerabilities that allow adversaries to bypass business logic through synchronized request bursts. While the transition from TCP-based HTTP/2 to UDP-based HTTP/3 (QUIC) introduces stochastic processing delays and independent stream delivery, the security implications of these protocol shifts remain under-explored. This work investigates the effectiveness of race condition exploits across modern transport protocols. Our experimental results demonstrate that while the user-space implementation of QUIC provides a resilience threshold against low-volume attacks, this protection is an artifact of scheduling jitter and is inherently fragile. We identify a critical concurrency threshold (