Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

HTTP Time Bandit: Identifying and Exploiting Web Application Performance Bottlenecks

OWASP Foundation via YouTube

Overview

Explore a comprehensive analysis of web application performance bottlenecks and potential vulnerabilities in this OWASP Foundation conference talk. Learn about a tool designed to identify resource-consuming pages through systematic testing and data normalization. Discover how this information can be leveraged for more efficient DOS/DDOS attacks using simple tools. Gain insights into the proposed method for detecting critical resources, statistical data normalization techniques, and the attack-like stage of testing. Examine the impact of commercial protection services and Apache configurations on server performance. Witness live demonstrations of the tool in action on various targets and learn about its availability for further research.

Syllabus

Intro
Classic Application Layer DOS/DDOS
The Proposed Method Method of detection of the critical resource • Spider over the web site and collect transfer times for each resource • Calculate the average speed and distribution of transfers Identify the resources that have slower average transfer times
Using Statistics to Normalize the Data
Attack Like Stage of Testing Measurement of service degradation while doing a hard test for narrowing down the choice of links
Commercial Protection Services . Few players using limiters for
Playing with Apache Configs Baseline, no protection • 1 client running 10x parallel requests of the most expensive resource • 3% CPU on the client machine Server: i7, 4 core, 8 gb • 98% CPU utilization on the server
mod_qos Implements control mechanisms to provide different priority to requests and control server access based on available resources 7
Conflicts with Slow* Attack Protection Slow* attack mitigation is an addition • mod_evasive could not protect from these There is no conflict (good news)

Taught by

OWASP Foundation

Reviews

Start your review of HTTP Time Bandit: Identifying and Exploiting Web Application Performance Bottlenecks

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.