Time-of-check-to-time-of-use

Web

Attacks

• Josip Franjković - archived security blog: Race conditions on Facebook, DigitalOcean and others (fixed) (josipfranjkovic.blogspot.com)
• Smashing the state machine: the true potential of web race conditions | PortSwigger Research
• Race conditions | Web Security Academy (portswigger.net)

HTTP 2 and Single-Packet Attacks

• A Beginner’s Guide to HTTP/2 and its Importance | by Madhavan Nagarajan | The Startup | Medium
• Timeless Timing Attacks: Exploiting Concurrency to Leak Secrets over Remote Connections | USENIX
• (5) DEF CON 31 - Smashing the State Machine the True Potential of Web Race Conditions - James Kettle - YouTube

Generic (Not Web)

Learning Resources

• Recognizing and preventing TOCTOU vulnerabilities (nccgroup.com)
• TOCTOU Time of Check and Time of Use — a Demonstration and Mitigation | by Sreeprakash Neelakantan | Medium