A comprehensive security lab demonstrating Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerabilities in web applications.
This project demonstrates a Race Condition vulnerability (specifically TOCTOU - Time-of-Check to Time-of-Use) in a simulated SaaS platform. The lab shows how concurrent requests can bypass business logic constraints, allowing attackers to exploit timing gaps between validation and execution.
- Initial State: Company wallet has $100, upgrade cost is $100
- Expected Behavior: Only 1 user can be upgraded to Premium
- Vulnerability: By sending 5 concurrent requests, ALL 5 users get upgraded
- Impact: $400 worth of services stolen (or negative balance)
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Attack Tool │────▶│ Flask API │────▶│ SQLite DB │
│ (5 threads) │ │ (vulnerable) │ │ (WAL mode) │
└─────────────────┘ └─────────────────┘ └─────────────────┘
│
▼
┌─────────────────┐
│ Dashboard │
│ (Real-time) │
└─────────────────┘
# Clone the repository
git clone https://github.com/YOUR_USERNAME/race-condition-lab.git
cd race-condition-lab
# Install dependencies
pip install -r requirements.txt
# Initialize database
python database.py
# Start the server
python app.py
# In another terminal, run the attack
python attack_tool.pyrace-condition-lab/
├── app.py # Flask server with API endpoints
├── database.py # SQLite database setup (WAL mode)
├── services.py # Business logic (vulnerable + secure)
├── attack_tool.py # Multi-threaded attack tool
├── requirements.txt # Python dependencies
└── templates/
└── dashboard.html # Real-time visualization dashboard
# Step 1: CHECK - Read balance
balance = cursor.execute("SELECT balance FROM wallet").fetchone()
# Step 2: VALIDATE
if balance >= UPGRADE_COST:
# ⚠️ CRITICAL WINDOW - Race condition here!
time.sleep(0.3) # Simulates external API call
# Step 3: ACT - Deduct and upgrade
cursor.execute("UPDATE wallet SET balance = ?", (balance - UPGRADE_COST,))# Atomic operation - Check and Act in one statement
cursor.execute("""
UPDATE wallet
SET balance = balance - ?
WHERE balance >= ?
""", (UPGRADE_COST, UPGRADE_COST))
if cursor.rowcount == 0:
return "Insufficient funds"- Atomic Database Operations - Use
UPDATE ... WHEREconditions - Database Locks -
SELECT ... FOR UPDATE - Optimistic Locking - Version numbers/timestamps
- Distributed Locks - Redis/Memcached for microservices
| Endpoint | Method | Description |
|---|---|---|
/ |
GET | Dashboard |
/api/stats |
GET | System statistics |
/api/upgrade |
POST | 🔴 Vulnerable upgrade |
/api/upgrade/secure |
POST | 🟢 Secure upgrade |
/api/reset |
POST | Reset system |
- OWASP Race Conditions
- CWE-367: TOCTOU Race Condition
- CVE-2026-22820 (Inspiration)
פרויקט זה מדגים חולשת Race Condition (ספציפית TOCTOU - Time-of-Check to Time-of-Use) בפלטפורמת SaaS מדומה. המעבדה מראה כיצד בקשות מקביליות יכולות לעקוף מגבלות לוגיקה עסקית.
- מצב התחלתי: ארנק החברה מכיל $100, עלות שדרוג $100
- התנהגות צפויה: רק משתמש אחד יכול להשתדרג לפרימיום
- החולשה: שליחת 5 בקשות במקביל - כל 5 המשתמשים משודרגים!
- השפעה: גניבת שירותים בשווי $400
# התקנת תלויות
pip install -r requirements.txt
# אתחול מסד הנתונים
python database.py
# הפעלת השרת
python app.py
# בטרמינל נפרד - הרצת המתקפה
python attack_tool.py# מתקפה על נקודת קצה פגיעה
python attack_tool.py
# מתקפה על נקודת קצה מאובטחת
python attack_tool.py --secure
# איפוס המערכת
python attack_tool.py --reset- 💰 יתרה: $100
- 👥 משתמשים: 5 Free, 0 Premium
- 💰 יתרה: $0 (או שלילית!)
- 👥 משתמשים: 0 Free, 5 Premium
- 💰 יתרה: $0
- 👥 משתמשים: 4 Free, 1 Premium ✓
This project is for educational purposes only. Use responsibly.
MIT License - See LICENSE for details.
🎓 Web Security Course - Final Project
Made with ❤️ for educational purposes