What is a Slow HTTP Attack? Types and Security Best Practices

Denial of Service (DoS) are among the most common attacks on the web. There are many variants. One of them, which is particularly easy to exploit and inexpensive in terms of resources, deserves our attention: Slow HTTP attacks.

In this article, we will explain how a Slow HTTP attack works. We will also look at the main types of attack and the security best practices to prevent them.

What is HTTP Request Smuggling? Exploitations and Security Best Practices

When a client accesses a website, it communicates with the server through the HTTP protocol. Initially text-based, this protocol became binary with HTTP/2, but its operation is still based on TCP.

Each exchange begins with the creation of a connection between the client and the server. With HTTP/1.0, this connection was closed after each request. But with HTTP/1.1, the Keep-Alive mode became the norm, allowing the connection to be kept open for several successive exchanges.

How WebSockets Work? Vulnerabilities and Security Best Practices

WebSocket is a real-time bidirectional communication protocol designed for efficient data exchange between a client (web browser, application) and a server.

Unlike traditional HTTP requests, which require a new connection to be opened for each exchange, WebSocket establishes a persistent connection. Once activated, it enables both parties to transmit messages continuously, without interruption.

What is Kerberoasting? Attack and Security Tips Explained

Kerberoasting is a common attack in Active Directory environments. It is based on a weakness in the Kerberos protocol, but its exploitation requires specific configurations.

In this article, we will explain how a kerberoasting attack works. We will also look at how to identify and exploit a vulnerable environment, as well as methods for protecting against it.

How to Detect Secrets? Tools and Techniques

Before discussing techniques and tools, it is essential to define the ‘secrets’ sought during penetration tests.

These secrets are generally private character strings which, if compromised, can be used to access a system, break encryption or forge data useful for authentication. Examples include a username and password pair, API keys, private keys or a session token that is still valid.