Attacking Web Applications With Python: Recommended Tools
Python is a powerful scripting language and it is used in developing several real world tools that are heavily used by security professionals. This article provides a list of some of the most popular web security tools that are written in Python.
Shodan is a search engine that provides intelligence about the assets exposed over the internet. Shodan has servers located around the world that crawl the Internet 24/7 to provide the latest Internet intelligence. Shodan by its definition is a search engine that can be used from a web browser. However, it also comes with a command line client that can be used to achieve the same from the command line. This can be helpful for automation tasks.
According to the official documentation, “The shodan command-line interface (CLI) is packaged with the official Python library for Shodan, which means if you’re running the latest version of the library you already have access to the CLI”. Kali Linux comes preinstalled with Shodan CLI and we can start using it by initializing the CLI tool using an API Key as shown below.
|# shodan init [api key]
Once the shodan CLI is initialized, we can use it for various tasks that Shodan CLI is capable of.
The following command shows the shodan version.
|# shodan version
The following command shows the count of couchdb instances.
|# shodan count couchdb
SQLMap is probably the most popular tool written in Python. It is a powerful tool to detect and exploit SQL Injection vulnerabilities in applications. SQLMap can be found in almost every penetration tester’s toolkit and it also comes preinstalled with Kali Linux. The power of SQLMap comes handy when we need to exploit Blind SQL Injection vulnerabilities which is very hard to do manually. SQLMap can extract database names, tables, columns and the data residing in the table with ease among other things it is capable of doing.
The following command shows how we can use SQLMap to check if a given parameter is vulnerable to SQL Injection.
|sqlmap -u http://192.168.0.104/webapps/sqli/sqli.php?id=1 -p id –dbs|
We specified id as our target parameter to test and we specified –dbs as an argument so SQLMap will extract the full list of database names if the parameter id is exploitable.
The following SQLMap output shows the list of database names extracted.
[09:45:14] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[09:45:14] [INFO] fetching database names
available databases :
[09:45:14] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/192.168.0.104’
Wapiti is a web application vulnerability scanner written in Python. It is a blackbox pentesting tool for web applications and thus it does not require access to source code. Wapiti scans for most of the common web vulnerabilities which include (but not limited to):
- SQL Injection
- Cross Site Scripting
- Command Execution
- Open Redirects
- CRLF Injection
- Web Server misconfigurations
The following command can be used to start an automated scan against a URL.
|# wapiti -u <target url>|
The following excerpt shows a sample output from wapiti scan.
|root@kali:~# wapiti -u http://192.168.0.104/webapps/sqli/sqli.php?id=1
__ __ .__ __ .__________
/ \ / \_____ ______ |__|/ |_|__\_____ \
\ \/\/ /\__ \ \____ \| \ __\ | _(__ <
\ / / __ \| |_> > || | | |/ \
\__/\ / (____ / __/|__||__| |__/______ /
\/ \/|__| \/
[*] Saving scan state, please wait…
This scan has been saved in the file /root/.wapiti/scans/192.168.0.104_folder_08c0064c.db
[*] Wapiti found 1 URLs and forms during the scan
[*] Loading modules:
mod_crlf, mod_exec, mod_file, mod_sql, mod_xss, mod_backup, mod_htaccess, mod_blindsql, mod_permanentxss, mod_nikto, mod_delay, mod_buster, mod_shellshock, mod_methods, mod_ssrf, mod_redirect, mod_xxe
[*] Launching module exec
[*] Launching module file
[*] Launching module sql
MySQL Injection in http://192.168.0.104/webapps/sqli/sqli.php via injection in the parameter id
GET /webapps/sqli/sqli.php?id=%C2%BF%27%22%28 HTTP/1.1
[*] Launching module xss
XSS vulnerability in http://192.168.0.104/webapps/sqli/sqli.php via injection in the parameter id
GET /webapps/sqli/sqli.php?id=%3CScRiPt%3Ealert%28%27wg2d8d1tvp%27%29%3C%2FsCrIpT%3E HTTP/1.1
[*] Launching module ssrf
[*] Asking endpoint URL https://wapiti3.ovh/get_ssrf.php?id=sqay00 for results, please wait…
[*] Launching module redirect
[*] Launching module xxe
[*] Asking endpoint URL https://wapiti3.ovh/get_xxe.php?id=5jdw8g for results, please wait…
[*] Launching module blindsql
Blind SQL vulnerability in http://192.168.0.104/webapps/sqli/sqli.php via injection in the parameter id
GET /webapps/sqli/sqli.php?id=sleep%287%29%231 HTTP/1.1
[*] Launching module permanentxss
A report has been generated in the file /root/.wapiti/generated_report
Open /root/.wapiti/generated_report/192.168.0.104_12232020_1446.html with a browser to see this report.
As we can notice from the preceding excerpt, there are several modules loaded one after the other to identify vulnerabilities in the target web application. From the output, we can see that there are 3 vulnerabilities identified as highlighted.
The following figure shows the HTML report generated by Wapiti.
Wafwoof is a tool written in Python to detect the presence of Web Application Firewalls in a web application. It can detect a long list of popular WAFs.
The following command shows the list of WAFs that can be detected by Wafw00f.
|# wafw00f -l
WAF Name Manufacturer
ACE XML Gateway Cisco
Alert Logic Alert Logic
AliYunDun Alibaba Cloud Computing
AnYu AnYu Technologies
Armor Defense Armor
ASP.NET Generic Microsoft
ASPA Firewall ASPA Engineering Co.
Astra Czar Securities
AWS Elastic Load Balancer Amazon
Azure Front Door Microsoft
Barikode Ethic Ninja
Barracuda Barracuda Networks
Bekchy Faydata Technologies Inc.
Beluga CDN Beluga
BIG-IP Local Traffic Manager F5 Networks
[REDACTED FOR BREVITY]
Running wafw00f with a target URL will automatically detect the presence of a WAF. The following example shows that there is no WAF present in the target web application.
|# wafw00f http://192.168.0.104/webapps/sqli/sqli.php?id=1
[*] Checking http://192.168.0.104/webapps/sqli/sqli.php?id=1
[+] Generic Detection results:
[-] No WAF detected by the generic detection
[~] Number of requests: 7
Mitmproxy is another tool written in Python and it can be used for Intercepting and manipulating HTTP requests. Mitmproxy is a free and open source interactive HTTPS proxy that comes preinstalled in Kali Linux. We can use the following command to launch mitmproxy in Kali Linux.
By Default, mitmproxy listens on port 8080. We can configure our browser to proxy all the traffic through mitmproxy as shown below.
After configuring the proxy, we can access any web application using the same browser as shown below.
Once the application is loaded, we should be able to see HTTP requests and responses in the mitmproxy command line console as follows.
The request and response shown in the preceding figures contain the default headers both in the request and response.
Sslyze is another popular tool written in Python. According to the official GitHub page, “SSLyze is a fast and powerful SSL/TLS scanning library, which allows us to analyze the SSL/TLS configuration of a server by connecting to it, in order to detect various issues (bad certificate, weak cipher suites, Heartbleed, ROBOT, TLS 1.3 support, etc.). SSLyze can either be used as a command line tool or as a Python library.”
The following command shows how a simple scan can be initialized using sslyze.
|sslyze –regular 192.168.0.106:443|
The following output from sslyze shows that the target server is vulnerable to Heartbleed, which is a serious vulnerability in OpenSSL library.
In this article, we discussed how Python is heavily used in developing security tools for web application security assessments. Interestingly SQLMap, one of the most used tools is built using python among other tools. This demonstrates the power of Python and why security professionals can rely on Python for custom tooling for security related tasks.