While web applications have become richer to provide a higher level user experience, they run increasingly large amounts of code on both the server and client sides. A few of the pages on the web server may be performance bottlenecks. Identifying those pages gives both application owners as well as potential attackers the chance to be more efficient in performance or attack. We will discuss a tool created to identify weaknesses in the web application by submitting a series of regular requests to it. With some refinement and data normalizations performed on the gathered data, and then performing more testing based on the latter, it is possible to pinpoint the single most (CPU or DB) resource-consuming page of the application. Armed with this information, it is possible to perform more efficient DOS/DDOS attacks with very simple tools. The presentation will be accompanied by demos of the tool performing testing and attacking on various targets. The tool will be published for the interested researchers to play with.
Vaagn Toukharian is Principal Engineer for Qualys's Web Application Scanner. Was involved with security industry since 1999. Experience includes work on Certification Authority systems, encryption devices, large CAD systems, Web scanners. Outside of work interests include Photography, and Ironman Triathlons.
Tigran Gevorgyan was born in Yerevan, Armenia. Graduated from Yerevan State University with honors in 1996. Immigrated to USA in 1999. Worked in various companies in network security field, such as Network Associates, Imperito Networks and Qualys.