[Owasp-dirbuster] Performance HOWTO

James Fisher dirbuster at sittinglittleduck.com
Thu Oct 30 07:20:19 EDT 2008 

Andres,

Quoting Andres Riancho <andres.riancho at gmail.com>:

> James,
>
> On Tue, Oct 28, 2008 at 9:42 AM, James Fisher
> <dirbuster at sittinglittleduck.com> wrote:
>>
>> Oops forgot to replay to the list....
>>
>> Quoting Andres Riancho <andres.riancho at gmail.com>:
>>
>>> James,
>>>
>>>     Hi! How are you? I hope you are well.
>>
>> Good, thanks, been working on my other project FuzzBuster of late,
>> which I hope to give a public release soon :)
>
> Something in the lines of JBroFuzz?

Yes a bit similar but different in many ways, I will send you a copy  
(or anyone else on this list) If you get a chance to give it a try  
that would be really cool, it's still a little buggy which is why I  
haven't released to the world yet.


>
>>>
>>>     During last week I've been trying to enhance the performance of
>>> w3af, and particularly the performance of the HTTP requests. After
>>> some thinking on how to achieve high speeds, I remembered that
>>> DirBuster does an AWESOME job at this, so I wanted to ask you some
>>> questions related to the way you used to measure the performance of
>>> your tool:
>>>
>>> - Have you used any specialized tools? Which?
>>
>> In terms of testing performance, the only specialized tool, would be
>> profiler within netbeans.  That enables me to see what each thread is
>> up to and fine tune the threading.
>>
>>> - Do you perform only HEAD requests?
>>
>> I try to, but it's not always possible.  The bigger factor is make use
>> you are using keep-alives.  If not then especially on a windows
>> machine you will run out of local ports to use for connections.
>
> I'm using keep-alive, so I'm on the right path I think.... =)
>
>>> - Do you have the test server (apache?) running on localhost?
>>
>> pretty much, with a couple of tweaks to make it return 200's for 404,
>> another such things.  Plus is gets testing on lots of live servers as
>> part of my work
>
> ok
>
>>> - When running on local host, in which section are you having the   
>>> bottleneck?
>>
>> Resource on the machine will max out, I think I haven't performed that
>> test for a while.
>
> hmmm... nice... I haven't really got there. I only have 400 GET
> requests/second with one thread.

400 GET's per second is really good for a single thread.  I have only  
ever managed to get 30-40 per second.  To get 6000 per/sec I was  
running 200+ threads

>
>>> - When running on a network... is the network link the bottleneck?
>>
>> Depends on the network, it can be, this is were head requests work well
>
> ok
>
>>> - For your tests, do you fine tune with a single thread, and then
>>> simply run different threads?
>>
>> If it's performance I'm testing then, I wont run it on a single
>> thread.  But being able to switch down to a single thread is really
>> useful for debugging.
>
> Yes, threads are evil.

But a necessary evil ;) Did w3af start out single or multi threaded?

>
>>
>>> - I've read somewhere that threads are evil, and that you should avoid
>>> them when they compete for a scarce resource like network. What do you
>>> think about this?
>>
>> If you want speed, then you have to use threads, you just have to get
>> the time each thread is designed to sleep for right.  Too much or too
>> little sleep will slow the program down.
>
> Sleep? My threads just run and the thread management is handled by
> python. I don't force any thread to sleep at any time. The "sleep" is
> in socket.recv()


I'm not familiar with python, but to me that could be an area were the  
performance could be improved, in a multi threaded environment, to  
stop one thread using all the resources.

Saying that without the mega thread profiler in netbeans, I would have  
really struggled to work out what my threads were actually doing.  The  
first time I profiled it I noticed most of threads spent more time  
sleeping than working!  So I reduced all the sleep time.


>
>> Most of dirbuster is all threads.  The workers, work generators, html
>> parsers, performance monitors and there is also a thread to prevent
>> deadlock.
>
> I HAVE to read that code!

You are a brave man!!

>
>>> - How long do you run each test? 1, 2, 5 minutes?
>>
>> Till the program finishes, but I run it on a server, that I know
>> DirBuster will finish is a sensible time 5 - 10
>
> In my tests I'm sending 3000 to 6000 GET requests to the same URL, and
> I analyze the time with a little python script that reads the apache
> log. I've found that 3000 requests is more than enough to see how fast
> requests are being sent.

I like to run it for the entire duration, to check that the  
performance does tail off, due to memory issue etc etc

>
>>> - How confident are you about the results you get from your
>>> tools/testing methodology?
>>
>> In terms of a formal methodology testing methodology I don't really
>> have one.  But DirBuster has had 3-4 years of field testing on live
>> systems.  So over time I have managed to iron out most of the bugs,
>> and spot areas where I can improve the performance and it's reliability.
>
> w3af has 2-3 years, but I haven't really focused on performance
> before... all this time has been: "make things work, fix critical
> bugs, remove false positives". Now that we finished with that, we can
> focus a little in performance, which is *really* hard!!
>
>>>
>>>     I'm sorry if this seems an interrogatory, but if you are as
>>> passionate as I am about this... I think you'll rather enjoy this
>>> thread =)
>>
>> No problems, if you have more question please feel free to ask!
>
> Thanks for your answers!
>
>> James
>>
>>>
>>> Cheers,
>>> --
>>> Andres Riancho
>>> http://w3af.sourceforge.net/
>>> Web Application Attack and Audit Framework
>>> _______________________________________________
>>> Owasp-dirbuster mailing list
>>> Owasp-dirbuster at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-dirbuster
>>>
>>
>>
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>>
>>
>> ----- End forwarded message -----
>>
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>> _______________________________________________
>> Owasp-dirbuster mailing list
>> Owasp-dirbuster at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-dirbuster
>>
>
>
>
> --
> Andres Riancho
> http://w3af.sourceforge.net/
> Web Application Attack and Audit Framework
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the Owasp-dirbuster mailing list