Clubbing Webapps With A Botnet presented at OWASP Appsec 2009

by Gunter Ollmann (Damballa),

Tags: Security Web Application Security Botnets

URL : http://www.owasp.org/index.php/Clubbing_WebApps_with_a_Botnet

Summary : The lonely hacker taking pot-shots at a Web application & seeking out an exploitable flaw - is quickly going the way of the dinosaur. Why try to hack an application from a solitary host using a single suite of tools when you can distribute and load-balance the attack amongst a global collection of anonymous bots and even ramp up the pace of attack by several orders of magnitude? If you're going to _really_ hack a Web application for commercial gain, the every-day botnet is now core equipment in an attacker's arsenal. Sure, DDoS and other saturation attacks are possible & but the real benefits of employing botnets to hack Web applications come from their sophisticated scripting engines and command & control which allow even onerous blind-SQL-injection attacks to be conducted in minutes rather than days. If someone's clubbing your Web application with a botnet, where are your weaknesses and how much time have you really got?