HTTP Time Bandit

Presented at AppSec USA 2013, Nov. 21, 2013, 3 p.m. (50 minutes).

Video of session: https://www.youtube.com/watch?v=jFNnI1DDSaE&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=35 While web applications have become richer to provide a higher level user experience, they run increasingly large amounts of code on both the server and client sides. A few of the pages on the web server may be performance bottlenecks. Identifying those pages gives both application owners as well as potential attackers the chance to be more efficient in performance or attack.    We will discuss a tool created to identify weaknesses in the web application by submitting a series of regular requests to it. With some refinement and data normalizations performed on the gathered data, and then performing more testing based on the latter, it is possible to pinpoint the single most (CPU or DB) resource-consuming page of the application. Armed with this information, it is possible to perform more efficient DOS/DDOS attacks with very simple tools.    The presentation will be accompanied by demos of the tool performing testing and attacking on various targets. The tool will be published for the interested researchers to play with.

Presenters:

  • Vaagn Toukharian - Senior Software Engineer - qualys   as vaagn toukharian
    Was involved with security industry since 1999. Experience includes work on Certification Authority systems, encryption devices, large CAD systems, Web scanners. Outside of work interests include Photography, and Ironman Triathlons.

Links:

Similar Presentations: