Web Application Defender's Cookbook by Ryan C. Barnett, Jeremiah Grossman

This recipe shows you how to figure out when applications experience abnormal delays in sending their responses to clients.

Web application owners and developers often obsess over application performance. But this occurs for a perfectly valid reason. Web application users have extremely low tolerance for latency and will quickly leave your site for a competitor’s site if yours is too slow. With this in mind, we can leverage the fact that the web applications will process the request and respond rather quickly. Yes, variance between resources and back-end processing will occur, but latency will be minimized as much as possible.

So why am I talking about application latency? What does this have to do with web security monitoring? I’m glad you asked! Chapter 10 discusses SQL Injection attacks and defense in more depth, but one aspect is appropriate to cover now—blind SQL Injection. In this scenario, the attacker still can send the SQL Injection payload and have it be executed by the back-end database. However, the application has been configured to not send detailed error messages. This means that the attacker must instruct the database to conditionally execute certain code if the result of the query is either true or false. A favorite technique of attackers is to use the waitfor delay command. It simply tells the database to sit idle for a specified period of time before completing ...