httpillage: calling all nodes

Limiting application security tests to a single attacking host has left the industry using phrases such as “an attacker could” or “an attacker may be able to,” when referencing common attacks such as online attacks against user credentials, application-level denial of service and username enumeration. Attacks from a single host are not practical, and do not model real-world threats. The aforementioned tasks would benefit greatly from the ability to distribute across different hosts to properly demonstrate impact.

Httpillage is a tool designed to distribute HTTP(s) based attacks across multiple nodes, in similar fashion to a traditional botnet C&C server. Common attacks such as online password brute-force, denial of service, and application enumeration are entirely possible to distribute, increasing speed and effectiveness.

This talk will demonstrate the use of httpillage to launch common attacks across multiple nodes, including the ability to brute-force time-based password reset tokens. We’ll walk through scenarios that demonstrate how to provide proper impact demonstration, launching attacks that would not be successful during a traditional pentest.

Presented by