The Read-Write Gap: Web Race Conditions Beyond TOCTOU
A technical taxonomy of web race conditions beyond TOCTOU, explaining read-write gaps, HTTP/2 single-packet attacks, and the storage-layer primitives that close them.
blog.gtfo.dev
Technical writing on software engineering, systems design, and the tools that make it possible.
Recent Posts
-
Layer 2 vs. Layer 3 Switches
Most inter-VLAN routing in enterprise networks isn't done by a router. It's done by a switch that understands IP. This post breaks down how Layer 2 and Layer 3 switches differ, how SVIs and routed ports work, and why TCAM makes hardware-based routing possible.
Zero-Knowledge Proofs from Scratch: Schnorr Identification and the Sigma Protocol
A worked-example introduction to zero-knowledge proofs using the Schnorr identification protocol, building to the sigma protocol abstraction that underpins modern ZKP systems.
Account Takeover: The Composite Attack Class
ATO isn't a CWE — it's an outcome. This post models account takeover as a composite attack class, maps the five vector families to their root causes, and builds the defense architecture that exploitation checklists leave out.
TLS Fingerprinting — The First Gate
TLS fingerprinting catches automation tools by their handshake — until the attacker uses a real browser. Part 1 of a series on why client-side bot defense is structurally limited.
The Oracle Problem — How HTTP Compliance Leaks Information
HTTP status codes are designed to be informative. That's exactly what makes them dangerous. Part 1 of a series on how RFC-compliant behavior creates exploitable information channels — and when breaking the spec is the right call.