OWASP TimeGap Theory

OWASP-TimeGap-Theory-logo OWASP TimeGap Theory

OWASP TimeGap Theory is an auto-scoring capture-the-flag game that focuses entirely on TOCTOU vulnerabilities. There are seven unique challenges to be solved in TimeGap Theory. All of them can be solved just by using browser dev tools.



OWASP TimeGap Theory is built with PHP, MySQL, Docker and Heroku.It is built as a multi-featured web application. The goal of TimeGap Theory is to raise awareness about TOCTOU vulnerabilities amongst people. It was started as a PoC demo app for author’s coworkers. But later on, it was open sourced under OWASP’s umbrella.


In order of appearance:

  • Abhi M Balakrishnan - Author
  • Akhi M balakrishnan - Illustrations for the hand-guide
  • Adarsh Girijan - Coverpage design for the hand-guide
  • This can be your name - We need your help to test the software and review the hand-guide.


OWASP TimeGap Theory is licensed under the Apache License 2.0

For more details, please visit the official website at https://timegaptheory.com/


Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.


  1. Free and open source
  2. Auto-scoring system - no need to enter the flags yourselves
  3. Slow-down feature lets you learn more about the time gap between time-of-check and time-of-use
  4. No tools required - solve all changes just by using browser and browser dev tools
  5. Extensive documentation (coming soon)