Welcome

People often ask, "Why should I bother with such a trivial vulnerability?"

• TOC/TOU is not in OWASP’s Top 10

• It is not even in the CWE’s Top 25 Most Dangerous Software Errors

However, that does not make TOCTOU irrelevant. One open (or broken) door is enough for an attacker to break in. That open door doesn’t necessarily need to be reflected in the OWASP Top 10 or CWE Top 25.

This guide is exactly about this kind of door. We are talking about time of check to time of use, often abbreviated as TOC/TOU. Unlike cross-site scripting and SQL injection, this door is slightly harder to locate and find. But once open, it can be pretty dangerous.

People sometimes refer to TOC/TOU as TOCTOU and TOCTTOU. No matter how you write it, the right pronunciation is “TOCK too.”

This guide will walk you through seven TOC/TOU scenarios. Note that the application, OWASP TimeGap Theory, is designed to be vulnerable to TOC/TOU, but not all web applications are vulnerable. There are several methods to safeguard applications from TOCTOU issues. We won’t be discussing them here as they are beyond the scope of this hand guide.

However, by the end of this guide:

• You will be a TOC/TOU Champion

• You will be equipped with tools and techniques to check if your application is vulnerable to TOCTOU

• You will be able to forecast TOCTOU issues on application by looking at the high-level design in threat-modeling sessions

• You also will be in a position to demonstrate TOCTOU issues to your peers