A security audit of a financial application reveals a critical vulnerability. The application first checks a user's account balance to authorize a transfer (time-of-check) and then, in a separate step, processes the withdrawal (time-of-use). An attacker found that by sending multiple, simultaneous requests, they could withdraw funds exceeding their actual balance because the balance was not locked during the transaction. Which of the following vulnerabilities does this scenario describe?
This scenario describes a race condition, specifically a Time-of-check to Time-of-use (TOCTOU) vulnerability. The application checks a condition (the account balance) at one point in time but uses the result of that check at a later point. An attacker can exploit the delay between the check and the use to change the state (in this case, by initiating another withdrawal), leading to unexpected and insecure behavior like withdrawing more money than is available in the account.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.