Python-based attack tools are the most common vector for launching exploit attempts

Hackers have an obvious predilection for Python-based attack tools, says Imperva.

“When examining the use of Python in attacks against sites we protect, the result was unsurprising – a large chunk, up to 77%, of the sites were attacked by a Python-based tool, and in over a third of the cases a Python-based tool was responsible for the majority of daily attacks. These levels, over time, show that Python-based tools are used for both breadth and depth scanning,” the company’s researchers pointed out.

Python-based attack tools

Python’s popularity is rising

Python is easy to learn, install and deploy, and is slowly but surely becoming one of the most popular programming languages.

It is extensively used in the information security industry and is particularly helpful for exploit development (it’s versatile and requires minimal coding skills), so it shouldn’t come as a surprise that bad actors like it, too.

Also, given that many attack tools started as testing tools and are often freely available from repositories like GitHub, bad actors can easily take advantage of them.

“Roughly estimating, more than 20% of GitHub repositories that implement an attack tool / exploit PoC are written in Python. In virtually every security-related topic in GitHub, the majority of the repositories are written in Python, including tools such as w3af , Sqlmap, and even the infamous AutoSploit tool,” the researchers noted.

Urllib and Python Requests are the two most popular Python modules used for web attack.

The applications and frameworks most targeted with Python tools are Joomla, WordPress, Struts and Struts 2.

Python-based attack tools

“The most popular HTTP parameter value we’ve seen used in attacks, responsible for around 30% of all different param values used, belongs to a backdoor upload attempt through a PHP Unserialize vulnerability in Joomla! using the JDatabaseDriverMysqli object. The backdoor uploaded payload is hosted on ICG-AuthExploiterBot,” they shared.