OWASP TimeGap Theory Handbook
Search…
OWASP TimeGap Theory Handbook
OWASP TimeGap Theory Handbook
Welcome
TOCTOU
Lab Setup!
A Quick Refresher!
Challenge 1 – Sign Up
Challenge 2 – Login
Challenge 3 – Transfer
Challenge 4 – Mars
Challenge 5 – Tickets
Challenge 6 – Coupon
Challenge 7 – Ratings
More Tools
Credits
Thanks
Addendum
License
Powered By GitBook
Lab Setup!
Lab setup is easy!The entire lab is ready for you to download and run.
First, we need to get to the download and install some software. There are two ways forward:
  1. 1.
    If you’re planning to launch tools or scripts against the test instance, set up a local OWASP TimeGap Theory lab
  2. 2.
    If you’re planning to perform light-weight testing using a browser, use the online versio

Local OWASP TimeGap Theory Lab using Docker

Follow the next steps if you are planning to set up a local OWASP TimeGap Theory lab.
  • Approximate time required: 20 minutes
  • Budget: $0, no paid software required
  • Prerequisite: Windows Pro / Mac / Linux computer
  1. 1.
    Install Docker (the free community edition is okay.)
    1. 1.
      https://www.docker.com/
    2. 2.
      https://docs.docker.com/
  2. 2.
    Have at least two browsers installed
    1. 1.
      Firefox and Chrome work the best
    2. 2.
      If you have only one browser, you can use an incognito/private window as the other browser
  3. 3.
    Download OWASP TimeGap Theory
    1. 1.
      Download the ZIP and extract https://github.com/OWASP/TimeGap-Theory/archive/master.zip
    2. 2.
      Or type in the following in your Terminal:
git clone https://github.com/OWASP/TimeGap-Theory.git
  1. 1.
    Run Docker
  2. 2.
    Ensure that Docker is running
    1. 1.
      Run docker -v in your Terminal to check if Docker is up and running. If running, Docker will show you version information.
  3. 3.
    Open the command prompt/terminal
  4. 4.
    Change the directory to the OWASP TimeGap Theory directory
  5. 5.
    Run the following command docker-compose up -d
cd TimeGap-Theory
docker -v
docker-compose up -d
If all works as expected, you should be able to access the following URLs on your browser:
http://localhost/
This is the homepage of your OWASP TimeGap Theory Lab.
The fresh installation of OWASP TimeGap Theory won’t configure the database automatically. Go to TimeGap Theory > WebApp > Admin and click on the Reset Database button to initialize the database.
One of the common issues while setting up the Docker lab is getting an error message from CMD/Terminal - “Couldn't connect to Docker daemon. You might need to start Docker”. This means Docker is not running. You can start Docker by launching the Docker application from the Applications/Start menu.
You can also install cURL if you want to try some advanced automation techniques for exploiting TOCTOU vulnerabilities
  • If you are using Linux or Mac operating systems, cURL is already installed
  • If you are using the latest version of Windows, cURL will also be installed
  • If you are using an older version of Windows, you can download cURL from https://curl.haxx.se/windows/

Online OWASP TimeGap Theory Lab using Heroku

Follow the next steps if you are planning to use the online version of the TimeGap Theory lab.
  • Approximate time required: 5 minutes
  • Budget: $0, no paid software required
  1. 1.
    Login to your Heroku account at https://id.heroku.com/login
    1. 1.
      Sign up for a free Heroku account if you do not have one already https://signup.heroku.com
    2. 2.
      You need to do email verification and add payment information (like credit-card) to the Heroku account for verification purposes.
    3. 3.
      You won’t get charged if you are only running TimeGap-Theory on your Heroku account.
  2. 2.
    Deploy your TimeGap Theory instance
    1. 1.
      Navigate to https://github.com/OWASP/TimeGap-Theory
    2. 2.
      Click on the Deploy to Heroku button
    3. 3.
      Choose a name for your app
    4. 4.
      Click on Deploy app button
    5. 5.
      Once deployed, click on View button
  1. 1.
    Have at least two browsers installed
    1. 1.
      Firefox and Chrome work the best
    2. 2.
      If you have only one browser, you can use an incognito/private window as the other browser
  2. 2.
    cURL
    1. 1.
      If you are using Linux or Mac operating systems, cURL is already installed.
    2. 2.
      If you are using the latest version of Windows, cURL will also be installed.
    3. 3.
      If you are using an older version of Windows, you can download cURL from https://curl.haxx.se/windows/
And that’s it. You are ready to go.
You should be able to see the homepage of your TimeGap Theory Lab.
The fresh installation of OWASP TimeGap Theory won’t configure the database automatically. Go to TimeGap Theory > WebApp > Admin and click on the Reset Database button to initialize the database.
Previous
TOCTOU
Next
A Quick Refresher!
Last modified 1yr ago
Copy link
On this page
Local OWASP TimeGap Theory Lab using Docker
Online OWASP TimeGap Theory Lab using Heroku