Hackfest 2020

Introducing OWASP TimeGap Theory
2020-11-20, 17:30–18:20, Hackfest - Track 1

Race conditions in web applications. They are hard to find and more challenging to exploit. OWASP TimeGap Theory is a free and open-source CTF for learning how-to-find and how-to-exploit race conditions.

You will get tools, tips, and tricks to find and exploit TOCTOU issues.

There are several security issues out there that everyone talks and knows about - cross-site scripting, SQL injection, clickjacking, XXE. Every organization out there has some sort of secure software lifecycle to identify these issues - it can be SAST scanners, DAST scanners, or the protesting.

What I’m going to do in this session is to introduce you to a security issue that most of these scanners can not detect. It’s called Time-of-Check to Time-of-use, often abbreviated and pronounced as TOCTOU.

Forget scanners, a significant portion of pen testers out there also do not test the applications for this security issue.

We will be using the OWASP TimeGap Theory as our training platform for learning TOCTOU issues. Remember WebGoat? It’s something like that but focusing only on TOCTOU issues. You can also call it a TOCTOU-Goat or a RaceCondition-Goat.

By the end of this session, you will have some of the best tools and techniques to find and exploitTOCTOU issues. You will also learn how to identify TOCTOU issues early in the development lifecycle (threat modeling sessions).

Are you releasing a tool? – no