CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
ID
CAPEC-29
Typical Severity
High
Likelihood Of Attack
High
Status
Draft
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.
Weaknesses
| # ID | Name | Type |
|---|---|---|
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | weakness |
| CWE-366 | Race Condition within a Thread | weakness |
| CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition | weakness |
| CWE-368 | Context Switching Race Condition | weakness |
| CWE-370 | Missing Check for Certificate Revocation after Initial Check | weakness |
| CWE-662 | Improper Synchronization | weakness |
| CWE-663 | Use of a Non-reentrant Function in a Concurrent Context | weakness |
| CWE-665 | Improper Initialization | weakness |
| CWE-691 | Insufficient Control Flow Management | weakness |