7. Analysis: A web application's session management system checks whether a session token is valid (not expired) and then uses it to authorize the request. The check and authorization happen as two separate database queries. What specific risk does this create, and what should the developer do to fix it?
Risk: The gap between the validity check and the authorization use creates a TOCTOU race condition. An attacker who can invalidate the session token between the check and the use β for example, by expiring it in a second request β may cause the authorization to proceed on a token that is no longer valid. Additionally, if two simultaneous requests use the same token, both may pass the validity check before either's use triggers a "consumed" state.
Fix: Use a single atomic database operation that both validates and marks the token as consumed in one indivisible step β so the token can only be used once, and the check-and-use cannot be separated. With atomic handling, the second concurrent request cannot pass the validity check because the first request's consumption is committed before the second can read the token's state.
8. Evaluation: A security auditor finds a TOCTOU vulnerability in a system utility that writes log files. The developer responds: "This is a theoretical vulnerability β exploiting it requires perfect timing, and real attackers don't have that kind of precision." Evaluate this response. Is the developer's reasoning sound?
Disagree β the developer's reasoning is unsound.
The premise that race conditions require "perfect timing" is wrong. An attacker does not manually time the attack. They write two concurrent scripts: one triggers the vulnerable program in a tight loop, and another replaces the target file in a tight loop. Both run simultaneously at maximum speed. With thousands of operations per second on each side, the attacker will statistically land a replacement inside the race window within seconds β often faster than a human can react.
The fact that the window is small does not make it unexploitable; it just means more attempts are needed, and automation provides exactly that. Real-world TOCTOU exploits have been demonstrated against operating system utilities, package managers, and privilege escalation paths in production systems.
"Requires precise timing" is only true when the attacker is performing the attack manually β automation eliminates that constraint entirely. The developer has confused human manual capability with automated machine capability. The correct response is to fix the vulnerability, not to assume attackers lack the precision that automation trivially provides.