Python for web application security professionals

Have you read the latest issue of our digital (IN)SECURE Magazine? If not, do it now.

Python is an open source, interactive, object oriented programming language. It’s very easy to learn and an extremely powerful high level language. It runs on Windows, Linux, UNIX, OS X and is free to use (even for commercial purpose) since it’s based on the open source license. It can be used to write custom tools and scripts for special purpose when performing the security assessment of an application.

Why program when scanners are available?
There are commercial vulnerability scanners available in the market which can be used for vulnerability discovery. However, such vulnerability scanners have their own limitations and even the most advanced scanners sometimes are not able to provide full coverage. This makes the job of a penetration tester a little more difficult. This is where custom scripts/tools come into the picture. They help in filling the gaps created by the scanner since they’re customized to fit the target application.

It should be noted here that custom tools written for specialized purpose using languages like Python should not be a replacement for vulnerability scanners, and ideally should be used in addition to these scanners to get the best results.

The aim of this article is to introduce web application penetration testers with Python and explain how Python can be used for making customized HTTP requests – which in turn can be further expanded for development of custom scripts/tools that can be developed for special conditions where scanners fail. Readers will be introduced on libraries that can help a penetration tester in making custom HTTP requests using Python.

Setting up the environment
This article will not get into the details of setting up the environment – which is straight forward. Installers are available for Python and can be downloaded here.

If you are a Linux or Mac user, chances are high that you don’t have to install Python, since it usually comes pre-installed. To check if Python is installed on your system, launch the command prompt and type “python”, if Python is pre-installed, the interpreter will launch immediately.

Windows users can download the installer from above mentioned URL and install Python. To further make the use of Python easier, Windows users can add Python to the system path by editing the environment variable. Once done, users can just fire up Python from the command prompt – irrespective of the current working directory and still be able to invoke Python interpreter.

Python Modules for crafting HTTP requests
Python has multiple modules that can be used for generating custom HTTP Requests. We’ll cover 2 such modules that can be used for developing customized scripts, and can fire up our payloads along with performing the same actions that a penetration tester performs manually – the only difference being, this is done by a script instead of a manual attempt.

httplib
This module has been renamed to httplib.client in Python 3, however since in this article I am using version 2.7., I am going to stick with httplib. Normally this module is not directly used but instead urllib module uses it internally to make HTTP Requests. However, interested users can always use it directly.

In order for us to send custom requests, we need to do the following steps:

1. Import the library – Before using a library, we need to import it. Since in this case, we are going to use httplib library to send HTTP Requests and receive the responses back, we need to import it.

2. Create a connection – Once imported, we can start using it straight away. We need to create a connection object first. This can be achieved using HTTPConnection() method.

3. Send a HTTP request – So far no HTTP Request is sent on the wire. In order to do so, use the request() method. This is when the HTTP packet that we have created is sent out over the network to the target web server, using the method passed on as an argument (in our case GET).

4. Get a HTTP response – Now that we have sent a request, we can use getresponse() object to get server’s response. This method will return a HTTP response object back, which when read will send output generated by the server.

urllib2
urllib2 is a little different from the httplib library when it comes to creating and sending out HTTP requests. We don’t have to open up a connection and instead after importing, we can make a request directly. This is much simpler when compared to httplib. It is suggested that users make use of urllib2 as it’s recommended even by the Python community.

Readers should go through the Python documentation to understand what functions are supported by the urllib2 module to explore the full potential of this library and utilize it when creating their own tools or scripts.

What follows is a sample SQL injection tool that I’ve created only for demonstration purpose. It hits the login page of the website and injects single payload. The following is a simple script:

1. import urllib
2. import urllib2
3. location = “http://test_target.site/login.aspx”
4. values = {“username”:”‘”,”password”:”password”,”btnSubmit”:”Login”}
5. data = urllib.urlencode(values)
6. req = urllib2.Request(location,data)
7. response = urllib2.urlopen(req)
8. page_data = response.read()
9. print page_data

First we are importing the urllib and urllib2 libraries. We are then associating the target URL to the variable “location” and assigning post data to the variable “values”. Once these steps are completed, we are encoding the URL data and then submitting the request to the server and reading the response received.

The above script is just to show how easily one can create custom tools. The above script is far from perfect and will need much modification before using in practice. It only fires one request, while in real life our tool should fire multiple requests by iterating over a list of payloads. It’s left as an exercise to readers to go through libraries and the functions it supports to understand how they can create their own tools. A real life tool will also have to take care of session management and hence needs to also deal with cookies and other HTTP headers like referrers, content type etc. We’ll also need to iterate over the a list of URLs repeatedly until all our payloads are fired one by one for each and every parameter in order to ensure coverage.

Conclusion

Python is an easy to learn language which can be helpful to penetration testers to create their custom tools which they can use to achieve coverage. Thus plugging in holes which are at times created by vulnerability scanners because they are unable to hit certain pages due to one or the other reason. Users can create reusable code by using Python’s object orientation which can help them create classes that can be inherited and extended. Python can not only be used for quick and dirty scripting to achieve small automation tasks but also be used to create enterprise class vulnerability scanning routines.