Secure coding

Attacking Web Applications With Python: Recommended Tools

Python is a powerful scripting language and it is used in developing several real world tools that are heavily used by security professionals. This article provides a list of some of the most popular web security tools that are written in Python.

Shodan CLI

Shodan is a search engine that provides intelligence about the assets exposed over the internet. Shodan has servers located around the world that crawl the Internet 24/7 to provide the latest Internet intelligence. Shodan by its definition is a search engine that can be used from a web browser. However, it also comes with a command line client that can be used to achieve the same from the command line. This can be helpful for automation tasks.

According to the official documentation, "The shodan command-line interface (CLI) is packaged with the official Python library for Shodan, which means if you're running the latest version of the library you already have access to the CLI". Kali Linux comes preinstalled with Shodan CLI and we can start using it by initializing the CLI tool using an API Key as shown below.

Learn Python for Pentesting

Build your Python pentesting skills with four hands-on courses courses covering Python basics, exploiting vulnerabilities, and performing network and web app penetration tests.

Start Learning

# shodan init [api key]

Successfully initialized

Once the shodan CLI is initialized, we can use it for various tasks that Shodan CLI is capable of.

The following command shows the shodan version.

# shodan version

1.23.0

The following command shows the count of couchdb instances.

# shodan count couchdb

480017

SQLMAP

SQLMap is probably the most popular tool written in Python. It is a powerful tool to detect and exploit SQL Injection vulnerabilities in applications. SQLMap can be found in almost every penetration tester’s toolkit and it also comes preinstalled with Kali Linux. The power of SQLMap comes handy when we need to exploit Blind SQL Injection vulnerabilities which is very hard to do manually. SQLMap can extract database names, tables, columns and the data residing in the table with ease among other things it is capable of doing.

The following command shows how we can use SQLMap to check if a given parameter is vulnerable to SQL Injection.

sqlmap -u http://192.168.0.104/webapps/sqli/sqli.php?id=1 -p id --dbs

We specified id as our target parameter to test and we specified --dbs as an argument so SQLMap will extract the full list of database names if the parameter id is exploitable.

The following SQLMap output shows the list of database names extracted.

---

[09:45:14] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL >= 5.0

[09:45:14] [INFO] fetching database names

available databases [7]:

[*] information_schema

[*] infosec

[*] mysql

[*] performance_schema

[*] secure_users

[*] sys

[*] users

[09:45:14] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.0.104'

WAPITI

Wapiti is a web application vulnerability scanner written in Python. It is a blackbox pentesting tool for web applications and thus it does not require access to source code. Wapiti scans for most of the common web vulnerabilities which include (but not limited to):

SQL Injection
Cross Site Scripting
Command Execution
XXE
SSRF
Open Redirects
CRLF Injection
Shellshock
Web Server misconfigurations

The following command can be used to start an automated scan against a URL.

# wapiti -u <target url>

The following excerpt shows a sample output from wapiti scan.

root@kali:~# wapiti -u http://192.168.0.104/webapps/sqli/sqli.php?id=1

__ __ .__ __ .__________

/ \ / \_____ ______ |__|/ |_|__\_____ \

\ \/\/ /\__ \ \____ \| \ __\ | _(__ <

\ / / __ \| |_> > || | | |/ \

\__/\ / (____ / __/|__||__| |__/______ /

\/ \/|__| \/

Wapiti-3.0.3 (wapiti.sourceforge.io)

[*] Saving scan state, please wait...

Note

========

This scan has been saved in the file /root/.wapiti/scans/192.168.0.104_folder_08c0064c.db

[*] Wapiti found 1 URLs and forms during the scan

[*] Loading modules:

mod_crlf, mod_exec, mod_file, mod_sql, mod_xss, mod_backup, mod_htaccess, mod_blindsql, mod_permanentxss, mod_nikto, mod_delay, mod_buster, mod_shellshock, mod_methods, mod_ssrf, mod_redirect, mod_xxe

[*] Launching module exec

[*] Launching module file

[*] Launching module sql

---

MySQL Injection in http://192.168.0.104/webapps/sqli/sqli.php via injection in the parameter id

Evil request:

GET /webapps/sqli/sqli.php?id=%C2%BF%27%22%28 HTTP/1.1

Host: 192.168.0.104

---

[*] Launching module xss

---

XSS vulnerability in http://192.168.0.104/webapps/sqli/sqli.php via injection in the parameter id

Evil request:

GET /webapps/sqli/sqli.php?id=%3CScRiPt%3Ealert%28%27wg2d8d1tvp%27%29%3C%2FsCrIpT%3E HTTP/1.1

Host: 192.168.0.104

---

[*] Launching module ssrf

[*] Asking endpoint URL https://wapiti3.ovh/get_ssrf.php?id=sqay00 for results, please wait...

[*] Launching module redirect

[*] Launching module xxe

[*] Asking endpoint URL https://wapiti3.ovh/get_xxe.php?id=5jdw8g for results, please wait...

[*] Launching module blindsql

---

Blind SQL vulnerability in http://192.168.0.104/webapps/sqli/sqli.php via injection in the parameter id

Evil request:

GET /webapps/sqli/sqli.php?id=sleep%287%29%231 HTTP/1.1

Host: 192.168.0.104

---

[*] Launching module permanentxss

Report

------

A report has been generated in the file /root/.wapiti/generated_report

Open /root/.wapiti/generated_report/192.168.0.104_12232020_1446.html with a browser to see this report.

root@kali:~#

As we can notice from the preceding excerpt, there are several modules loaded one after the other to identify vulnerabilities in the target web application. From the output, we can see that there are 3 vulnerabilities identified as highlighted.

The following figure shows the HTML report generated by Wapiti.

Wafw00f

Wafwoof is a tool written in Python to detect the presence of Web Application Firewalls in a web application. It can detect a long list of popular WAFs.

The following command shows the list of WAFs that can be detected by Wafw00f.

# wafw00f -l

WAF Name Manufacturer

-------- ------------

ACE XML Gateway Cisco

aeSecure aeSecure

AireeCDN Airee

Airlock Phion/Ergon

Alert Logic Alert Logic

AliYunDun Alibaba Cloud Computing

Anquanbao Anquanbao

AnYu AnYu Technologies

Approach Approach

AppWall Radware

Armor Defense Armor

ArvanCloud ArvanCloud

ASP.NET Generic Microsoft

ASPA Firewall ASPA Engineering Co.

Astra Czar Securities

AWS Elastic Load Balancer Amazon

AzionCDN AzionCDN

Azure Front Door Microsoft

Barikode Ethic Ninja

Barracuda Barracuda Networks

Bekchy Faydata Technologies Inc.

Beluga CDN Beluga

BIG-IP Local Traffic Manager F5 Networks

[REDACTED FOR BREVITY]

Running wafw00f with a target URL will automatically detect the presence of a WAF. The following example shows that there is no WAF present in the target web application.

# wafw00f http://192.168.0.104/webapps/sqli/sqli.php?id=1

[*] Checking http://192.168.0.104/webapps/sqli/sqli.php?id=1

[+] Generic Detection results:

[-] No WAF detected by the generic detection

[~] Number of requests: 7

Mitmproxy

Mitmproxy is another tool written in Python and it can be used for Intercepting and manipulating HTTP requests. Mitmproxy is a free and open source interactive HTTPS proxy that comes preinstalled in Kali Linux. We can use the following command to launch mitmproxy in Kali Linux.

$ mitmproxy

By Default, mitmproxy listens on port 8080. We can configure our browser to proxy all the traffic through mitmproxy as shown below.

After configuring the proxy, we can access any web application using the same browser as shown below.

Once the application is loaded, we should be able to see HTTP requests and responses in the mitmproxy command line console as follows.

Request:

Response:

The request and response shown in the preceding figures contain the default headers both in the request and response.

Sslyze

Sslyze is another popular tool written in Python. According to the official GitHub page, “SSLyze is a fast and powerful SSL/TLS scanning library, which allows us to analyze the SSL/TLS configuration of a server by connecting to it, in order to detect various issues (bad certificate, weak cipher suites, Heartbleed, ROBOT, TLS 1.3 support, etc.). SSLyze can either be used as a command line tool or as a Python library.”

The following command shows how a simple scan can be initialized using sslyze.

sslyze --regular 192.168.0.106:443

The following output from sslyze shows that the target server is vulnerable to Heartbleed, which is a serious vulnerability in OpenSSL library.

Learn Python for Pentesting

Build your Python pentesting skills with four hands-on courses courses covering Python basics, exploiting vulnerabilities, and performing network and web app penetration tests.

Start Learning

Conclusion

In this article, we discussed how Python is heavily used in developing security tools for web application security assessments. Interestingly SQLMap, one of the most used tools is built using python among other tools. This demonstrates the power of Python and why security professionals can rely on Python for custom tooling for security related tasks.

Sources

SQLMap: https://github.com/sqlmapproject/sqlmap
Shodan: https://github.com/achillean/shodan-python
Wapiti: https://github.com/wapiti-scanner/wapiti
Wafw00f: https://github.com/EnableSecurity/wafw00f
Mitmproxy: https://github.com/mitmproxy/mitmproxy
Sslyze: https://github.com/nabla-c0d3/sslyze

Posted: December 22, 2020

Srinivas

View Profile

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com

Attacking Web Applications With Python: Recommended Tools

Shodan CLI

SQLMAP

WAPITI

Wafw00f

Mitmproxy

Sslyze

Conclusion

Sources

Learn Python for Pentesting

Get certified and advance your career