Steve McBride

New WAS QID 150126 for Links With High Resource Consumption (HTTP Time Bandit)

Discussion created by Steve McBride on Sep 5, 2015

Qualys has released a new WAS QID, 150126, to detect links with high resource consumption.


Description:

Initially presented at DEFCON 21 by Qualys researchers Tigran Gevorgyan and Vaagn Toukharian, HTTP Time Bandit is a method of enumerating resources within a web application which respond more slowly than the average resource on an application.  By enumerating these slow-to-respond resources, we can reasonably assume that those resources are particularly resource intensive either for the web server or the database.

 

Possible Consequences:

An attacker who is aware of slow-to-respond resources could begin recursively requesting these resources, in an attempt to produce a denial of service situation due to resource starvation.  Distribution of these requests could obviously greatly amplify the effect, potentially causing rapid and catastrophic resource starvation.

 

Our WAS detection technique:

As the WAS scanner crawls an application, it keeps track of response times for each resource.  It will then compute the mean response time for the application and flag items that take longer than the mean to respond in an "Information Gathered" QID, to ensure users are aware of those resources that may cause excessive resource consumption.

 

Mitigation:

Once identified, resources which exhibit slow response times should be evaluated and investigated.  Oftentimes problematic resources (large database queries, for instance) can be written more efficiently to help reduce response time to average levels.  If a resolution cannot be accomodated in application code, load balancing and/or proxying can be an effective solution for resource starvation attacks, and should be in place for any large production application.  Use of web application firewall technologies or on-server rulesets like mod_security can also help mitigate the risk of this type of attack.

 

Additional References:

https://www.defcon.org/images/defcon-21/dc-21-presentations/Toukharian-Gevorgyan/DEFCON-21-Toukharian-Gevorgyan-HTTP-Time-Bandit.pdf

Outcomes