HTTP Time Bandit presented at AppSec USA 2013

by Vaagn Toukharian,

Summary : HTTP Time Bandit
While web applications have become richer to provide a higher level user experience, they run increasingly large amounts of code on both the server and client sides. A few of the pages on the web server may be performance bottlenecks. Identifying those pages gives both application owners as well as potential attackers the chance to be more efficient in performance or attack.
We will discuss a tool created to identify weaknesses in the web application by submitting a series of regular requests to it. With some refinement and data normalizations performed on the gathered data,
and then performing more testing based on the latter, it is possible to pinpoint the single most (CPU or DB) resource-consuming page of the application. Armed with this information, it is possible to perform more efficient DOS/DDOS attacks with very simple tools.
The presentation will be accompanied by demos of the tool performing testing and attacking on various targets. The tool will be published for the interested researchers to play with.