Explore the world of distributed HTTP-based attacks in this 40-minute LASCON conference talk. Learn about Httpillage, a tool designed to distribute attacks across multiple nodes, simulating real-world threats more effectively than single-host attacks. Discover how to conduct online password brute-force attempts, denial of service attacks, and application enumeration with increased speed and effectiveness. Follow along with live demonstrations of common attacks across multiple nodes, including brute-forcing time-based password reset tokens. Gain insights into providing proper impact demonstrations during penetration testing, and understand the limitations of traditional single-host approaches. Delve into topics such as username enumeration, job response flags, dictionary attacks, status codes, and weak token exploitation. Enhance your understanding of application security testing and learn how to better model real-world threats in your assessments.
Overview
Syllabus
Intro
Penetration Tester vs Vulnerability Assessment
HTTP Pillage
Username Enumeration
Live Demo
Edit Job
Response Flag
Dictionary
Squiggly Bracket
Status codes
Spinning up another node
Thread count
Result
Local hosting
Search tip
verbose error message
Increasing exploitability
Expired tokens
Django envy
Forgot password mechanism
Character sets
Password reset
Weak tokens
Denial of service
Outro
Taught by
LASCON
