Secure coding

Attacking Web Applications With Python: Recommended Tools

December 22, 2020 by Srinivas

Python is a powerful scripting language and it is used in developing several real world tools that are heavily used by security professionals. This article provides a list of some of the most popular web security tools that are written in Python.

Shodan CLI

Shodan is a search engine that provides intelligence about the assets exposed over the internet. Shodan has servers located around the world that crawl the Internet 24/7 to provide the latest Internet intelligence.  Shodan by its definition is a search engine that can be used from a web browser. However, it also comes with a command line client that can be used to achieve the same from the command line. This can be helpful for automation tasks. 

According to the official documentation, “The shodan command-line interface (CLI) is packaged with the official Python library for Shodan, which means if you’re running the latest version of the library you already have access to the CLI”. Kali Linux comes preinstalled with Shodan CLI and we can start using it by initializing the CLI tool using an API Key as shown below.

# shodan init [api key]

Successfully initialized

#

 

Once the shodan CLI is initialized, we can use it for various tasks that Shodan CLI is capable of. 

The following command shows the shodan version.

# shodan version

1.23.0

#

 

The following command shows the count of couchdb instances.

# shodan count couchdb

480017

#

 

SQLMAP 

SQLMap is probably the most popular tool written in Python. It is a powerful tool to detect and exploit SQL Injection vulnerabilities in applications. SQLMap can be found in almost every penetration tester’s toolkit and it also comes preinstalled with Kali Linux.  The power of SQLMap comes handy when we need to exploit Blind SQL Injection vulnerabilities which is very hard to do manually. SQLMap can extract database names, tables, columns and the data residing in the table with ease among other things it is capable of doing.

The following command shows how we can use SQLMap to check if a given parameter is vulnerable to SQL Injection.

sqlmap -u http://192.168.0.104/webapps/sqli/sqli.php?id=1 -p id –dbs

 

We specified id as our target parameter to test and we specified –dbs as an argument so SQLMap will extract the full list of database names if the parameter id is exploitable. 

The following SQLMap output shows the list of database names extracted.

[09:45:14] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0

[09:45:14] [INFO] fetching database names

available databases [7]:

[*] information_schema

[*] infosec

[*] mysql

[*] performance_schema

[*] secure_users

[*] sys

[*] users

[09:45:14] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/192.168.0.104’

WAPITI 

Wapiti is a web application vulnerability scanner written in Python. It is a blackbox pentesting tool for web applications and thus it does not require access to source code. Wapiti scans for most of the common web vulnerabilities which include (but not limited to):

  • SQL Injection
  • Cross Site Scripting
  • Command Execution
  • XXE
  • SSRF
  • Open Redirects
  • CRLF Injection
  • Shellshock
  • Web Server misconfigurations

The following command can be used to start an automated scan against a URL.

# wapiti -u <target url> 

 

The following excerpt shows a sample output from wapiti scan.

root@kali:~# wapiti -u http://192.168.0.104/webapps/sqli/sqli.php?id=1

     __      __               .__  __  .__________

    /  \    /  \_____  ______ |__|/  |_|__\_____  \ 

    \   \/\/   /\__  \ \____ \|  \   __\  | _(__  <

     \        /  / __ \|  |_> >  ||  | |  |/       \ 

      \__/\  /  (____  /   __/|__||__| |__/______  /

           \/        \/|__|                      \/

Wapiti-3.0.3 (wapiti.sourceforge.io)

[*] Saving scan state, please wait…

 Note

========

This scan has been saved in the file /root/.wapiti/scans/192.168.0.104_folder_08c0064c.db

[*] Wapiti found 1 URLs and forms during the scan

[*] Loading modules:

         mod_crlf, mod_exec, mod_file, mod_sql, mod_xss, mod_backup, mod_htaccess, mod_blindsql, mod_permanentxss, mod_nikto, mod_delay, mod_buster, mod_shellshock, mod_methods, mod_ssrf, mod_redirect, mod_xxe

[*] Launching module exec

[*] Launching module file

[*] Launching module sql

MySQL Injection in http://192.168.0.104/webapps/sqli/sqli.php via injection in the parameter id

Evil request:

    GET /webapps/sqli/sqli.php?id=%C2%BF%27%22%28 HTTP/1.1

    Host: 192.168.0.104

[*] Launching module xss

XSS vulnerability in http://192.168.0.104/webapps/sqli/sqli.php via injection in the parameter id

Evil request:

    GET /webapps/sqli/sqli.php?id=%3CScRiPt%3Ealert%28%27wg2d8d1tvp%27%29%3C%2FsCrIpT%3E HTTP/1.1

    Host: 192.168.0.104

[*] Launching module ssrf

[*] Asking endpoint URL https://wapiti3.ovh/get_ssrf.php?id=sqay00 for results, please wait…

[*] Launching module redirect

[*] Launching module xxe

[*] Asking endpoint URL https://wapiti3.ovh/get_xxe.php?id=5jdw8g for results, please wait…

[*] Launching module blindsql

Blind SQL vulnerability in http://192.168.0.104/webapps/sqli/sqli.php via injection in the parameter id

Evil request:

    GET /webapps/sqli/sqli.php?id=sleep%287%29%231 HTTP/1.1

    Host: 192.168.0.104

[*] Launching module permanentxss

Report

——

A report has been generated in the file /root/.wapiti/generated_report

Open /root/.wapiti/generated_report/192.168.0.104_12232020_1446.html with a browser to see this report.

root@kali:~# 

 

As we can notice from the preceding excerpt, there are several modules loaded one after the other to identify vulnerabilities in the target web application. From the output, we can see that there are 3 vulnerabilities identified as highlighted.

The following figure shows the HTML report generated by Wapiti.

Wafw00f 

Wafwoof is a tool written in Python to detect the presence of Web Application Firewalls in a web application. It can detect a long list of popular WAFs.

The following command shows the list of WAFs that can be detected by Wafw00f.

# wafw00f -l

  WAF Name                        Manufacturer

  ——–                        ————

  ACE XML Gateway                  Cisco                            

  aeSecure                         aeSecure                         

  AireeCDN                         Airee                            

  Airlock                          Phion/Ergon                      

  Alert Logic                      Alert Logic                      

  AliYunDun                        Alibaba Cloud Computing          

  Anquanbao                        Anquanbao                        

  AnYu                             AnYu Technologies                

  Approach                         Approach                         

  AppWall                          Radware                          

  Armor Defense                    Armor                            

  ArvanCloud                       ArvanCloud                       

  ASP.NET Generic                  Microsoft                        

  ASPA Firewall                    ASPA Engineering Co.             

  Astra                            Czar Securities                  

  AWS Elastic Load Balancer        Amazon                           

  AzionCDN                         AzionCDN                         

  Azure Front Door                 Microsoft                        

  Barikode                         Ethic Ninja                      

  Barracuda                        Barracuda Networks               

  Bekchy                           Faydata Technologies Inc.        

  Beluga CDN                       Beluga                           

  BIG-IP Local Traffic Manager     F5 Networks     

  [REDACTED FOR BREVITY]   

 

Running wafw00f with a target URL will automatically detect the presence of a WAF. The following example shows that there is no WAF present in the target web application.

# wafw00f http://192.168.0.104/webapps/sqli/sqli.php?id=1

   

[*] Checking http://192.168.0.104/webapps/sqli/sqli.php?id=1

[+] Generic Detection results:

[-] No WAF detected by the generic detection

[~] Number of requests: 7

 

Mitmproxy 

Mitmproxy is another tool written in Python and it can be used for Intercepting and manipulating HTTP requests. Mitmproxy is a free and open source interactive HTTPS proxy that comes preinstalled in Kali Linux. We can use the following command to launch mitmproxy in Kali Linux.

$ mitmproxy

 

By Default, mitmproxy listens on port 8080. We can configure our browser to proxy all the traffic through mitmproxy as shown below.

After configuring the proxy, we can access any web application using the same browser as shown below. 

Once the application is loaded, we should be able to see HTTP requests and responses in the mitmproxy command line console as follows.

Request:

Response:

The request and response shown in the preceding figures contain the default headers both in the request and response.

Sslyze

Sslyze is another popular tool written in Python.  According to the official GitHub page, “SSLyze is a fast and powerful SSL/TLS scanning library, which allows us to analyze the SSL/TLS configuration of a server by connecting to it, in order to detect various issues (bad certificate, weak cipher suites, Heartbleed, ROBOT, TLS 1.3 support, etc.). SSLyze can either be used as a command line tool or as a Python library.

The following command shows how a simple scan can be initialized using sslyze. 

sslyze –regular 192.168.0.106:443

 

The following output from sslyze shows that the target server is vulnerable to Heartbleed, which is a serious vulnerability in OpenSSL library.

 

Conclusion

In this article, we discussed how Python is heavily used in developing security tools for web application security assessments. Interestingly SQLMap, one of the most used tools is built using python among other tools. This demonstrates the power of Python and why security professionals can rely on Python for custom tooling for security related tasks.

 

Sources

  1. SQLMap: https://github.com/sqlmapproject/sqlmap
  2. Shodan: https://github.com/achillean/shodan-python
  3. Wapiti: https://github.com/wapiti-scanner/wapiti
  4. Wafw00f: https://github.com/EnableSecurity/wafw00f
  5. Mitmproxy: https://github.com/mitmproxy/mitmproxy
  6. Sslyze: https://github.com/nabla-c0d3/sslyze
Posted: December 22, 2020
Articles Author
Srinivas
View Profile

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com

Leave a Reply

Your email address will not be published. Required fields are marked *