I, Abhi, was in a threat modeling session as a security engineer. During the meeting, I pointed out at a design and said, "that portion may become vulnerable to TOC/TOU." To my surprise, half the people in the room did not know what TOCTOU was. Few people thought almost all new database technologies have in-built controls to prevent them. Some of them said it's a very corner case and applies to only money-transfer kind of scenarios. One person said it's tough to exploit in real life.
Over the next few months, I came across multiple such situations. I wanted to shout out to the world that race conditions are real. But How? I asked myself.
I needed three things:
I slowly started building a web app that is vulnerable to TOCTOU. Then I converted into a CTF. Gamification was essential to get people engaged. I think CTFs gives us satisfaction when we solve each challenge. Then I started writing a book. I started talking about it to everybody around me. A few of my friends offered help.
My wife, Sarika, and I used to brainstorm about driving this project forward. She helped me find a name and theme for this project. My brother, Akhi, started sketching Dinosaur themed scenarios for my book right by that time.
It was almost 1.5 years from day one, and I started looking for reviewers. My friends - Aakash, Keith, Jennifer, and Shashank, offered to do the review for me. They sacrificed many of their weekends and late nights for this project.
That made me realize two things:
Did I tell you about Adarsh? He joined slightly late into the team. He is a cousin brother of mine and is a recent college graduate. Adarsh is the one who designed the logo, cover page of the book, and promotional posters for the OWASP TimeGap Theory.
We used Docker and Heroku to make it easy for people to get the project running. We are showing people how to use browser dev tools, cURL, and a few other free and open-source tools for exploiting TOCTOU vulnerabilities. The handy-guide I mentioned before. It's out now, and you can get it from this link.