Recently, I had the opportunity to work on a medium-sized Web project, which involved the development of different modules that demanded a carefully planned mutual interaction. Some of these modules required access to protected sections of the website, through a centralized access control mechanism, so critical security issues had to be tested as thoroughly as possible.
In order to check some of the possible vulnerabilities and evaluate potential weak points within the program, a server-side application was used. It emulated automatic GET and POST requests for determining whether the website application was capable of rejecting external attacks, at least the ones aimed primarily at generating Denial of Service situations (DoS).
After performing the verification process and implementing accordingly some possible solutions within the program, such as noisy image generation and on-the-fly session encrypted data, a clear idea came up to mind about the topic. Certainly, we all have seen many unprotected websites being easily crashed by malicious programs installed on remote computers that launch massive requests to the targeted server, causing either severe slow downs or complete system hangs.
However, most of these programs are client applications running on non Web-based platforms. But now, the scenario is definitely a little different. As you probably know, many popular server-side languages make it quite easy to work with sockets, and this mere fact turns developing http-based hacking tools into a simple experience.
However, before I go deeper into the required explanations, a few things need to be clarified. First, this article is not intended to encourage the use of programs for hacking purposes, since it merely demonstrates that some websites may expose some vulnerabilities that need to be properly addressed. And second, the responsibility in the use of the source code is left completely in the hands of the reader.
Having said that, letís move on to making HTTP requests in the background.