Hackfest 2020

Your locale preferences have been saved. We like to think that we have excellent support for English in pretalx, but if you encounter issues or errors, please contact us!

Introducing OWASP TimeGap Theory
11-20, 17:30–18:20 (Canada/Eastern), Hackfest - Track 1
Language: English

Race conditions in web applications. They are hard to find and more challenging to exploit. OWASP TimeGap Theory is a free and open-source CTF for learning how-to-find and how-to-exploit race conditions.

You will get tools, tips, and tricks to find and exploit TOCTOU issues.


There are several security issues out there that everyone talks and knows about - cross-site scripting, SQL injection, clickjacking, XXE. Every organization out there has some sort of secure software lifecycle to identify these issues - it can be SAST scanners, DAST scanners, or the protesting.

What I’m going to do in this session is to introduce you to a security issue that most of these scanners can not detect. It’s called Time-of-Check to Time-of-use, often abbreviated and pronounced as TOCTOU.

Forget scanners, a significant portion of pen testers out there also do not test the applications for this security issue.

We will be using the OWASP TimeGap Theory as our training platform for learning TOCTOU issues. Remember WebGoat? It’s something like that but focusing only on TOCTOU issues. You can also call it a TOCTOU-Goat or a RaceCondition-Goat.

By the end of this session, you will have some of the best tools and techniques to find and exploitTOCTOU issues. You will also learn how to identify TOCTOU issues early in the development lifecycle (threat modeling sessions).


Are you releasing a tool? – no

Abhi M Balakrishnan is a security engineer from Silicon Valley. You must have heard about Abhi’s other free and open-source projects like OWASP Mantra, Matriux, ExploitMe REST, Alert Labs, OWASP Bricks, Snow, Brick Town, TinyBird CTF, and ‘web app security testing with browsers.’