Blog covers dela (2)

How to: Python Web Application Security For Professionals

How to: Python Web Application Security For Professionals

Python is an interactive, open-source, and also an object-oriented language. It is a notably robust high-level language as to which it is elementary to learn. 

Python runs on Windows, Linux, UNIX, and Mac, which is also free to use. It is used to write custom tools and scripts for one or more designated tasks, which is usually carried out when performing a security assessment of an application. 

Do programs count when scanners are available?

Affirmed, there are lots of readily available commercial vulnerability scanners in the market now, so to which it could be used for discovery of vulnerability as a security professional. The weakness of such scanners has its limitation, and to which most stride scanners are not able to provide full coverage as at when required. 

With these limitations, it makes the job of a penetration tester or a pentester more difficult because a lot of these products have missed out in one or two ways, most notably when the product is complex. These are the reason why there’s a need to use custom scripts as a security professional because it also helps fills the gap created by scanners ever since they have been customized to target application rather than fulfilling its general purpose.

In situations where the target application is complex, scanners tend to perform poorly leaving out many pages of the applications uncovered as to which the false negatives create a lengthy situation for the security professionals or the management at large through which process is reliant on scanners for automating the vulnerability assessment when compared the false refutations that were compiled incorrectly.

Just for the records, specializations of custom tools written in a language like a python should not be a replacement for the scanner’s vulnerability; instead, it should be used as an accretion to these scanners so as to get the best throughput as a security professional.

This article aims to introduce Python for web security to professionals and explain how Python is used for making customized HTTP requests, so to which it could be further expanded for the development of custom script or tools that is developed for special situations where scanners fail. Libraries that can help you as a security professional in making custom HTTP requests using Python will be introduced in the following paragraphs.

 If you are passionate about learning the basics of developing your custom tools or script as a security professional, this article will get you there. But it focuses on some aspects that are relevant only to the assessment of web-based applications.

 Whenever Python is used as a development tool, it aids malware analysis, forensics, network security assessments. Modules in Python will be used through the making of some custom HTTP requests using Python. It’s highly recommendable for new readers who aren’t aware of Python before to learn the basics of python programming before jumping into the further details of this article.

Setting up the Environment

Installers have been made available for all types of systems, so we won’t get into many details of setting up the environment. Python could be downloaded from this link.

Linux or Macintosh user is likely to have it installed on their systems so there won’t need to install Python all over again. But, if you are to validate if it comes with your systems, launch your command prompt, then press ‘python’ if it is pre-installed, an interpreter would be launched automatically. See the following screenshot for example.

From the example here, a Linux system is being used, and there is no much difference for macintosh installation either. 

For the Windows users, the installer from above can be downloaded from the link above and do install after a successful download, launch the Python from the windows command prompt – irrespective pf the existing file directory, and it will still request the interpreter.

Python Module Used in Crafting HTTP Request

httplib

The httplib module is one of many modules in Python used for crafting an HTTP request. In this section of the article, Python, 2.7.*. was used, but for those with Python 3.+ on their system, the name of the module in Python is http.client module.

In as much to make a custom request, there’s need to follow the steps below:

1. Import the library

       When using libraries in Python, there’s a need to import it first before moving forward. Through this, the httplib library will be used to send HTTP requests and receive a response.


Code:

# import
import httplib

2. Create a Connection

       After successfully importing, start first by creating a connection object first, and it is achieved by the HTTPConnection() method.


Code:

# create a connection
connection = httplib.HTTPConnection('www.google.com')

3. Send HTTP Request

        This library is sent majorly on the wire, and it is done by using the request method. Then the HTTP packet created in the previous line of code is now sent over the network to the target webserver.


Code:

# Send http request
connection.request('GET','/')

4 Get HTTP Response

         After the request has been successfully sent, the getresponse() object is used so to get the server’s response. this section returns HTTP Response object, and the output is being generated by the server by using the read object.


Code:

# Get Response
get_response = connection.getresponse()
response_data = get_response.read()
print(response_data)

Urllib3

Urllib3 is a little different from htttplib when it comes to crafting an HTTP request. “urllib3”. We don’t have to open up a connection, and preferably, after importing, a pool manager instance is created, then through it, we make our request as shown below in the following section.

1. Import the library

       When using libraries in Python like the urllib3 libraries, there’s always a need to first install the library and import it first before moving forward. Through this, the urllib3 library will be used to send HTTP requests and receive a response.


Code:

# import libraries
import urllib3

 

2. Create a pool manager instance

       After successfully importing, start first by creating a pool manager instance first, and it is achieved by the PoolManager() method.


Code:

# create a poolmanager instance to make a request
http = urllib3.PoolManager()

 

3. Make an  HTTP Request

        This library is sent majorly on the wire, and it is done by using the request method. Then the HTTP packet created in the previous line of code is now sent over the network to the target webserver.


Code:

# Make an HTTP request
request = http.request(‘GET’,’http://www.httpbin.org/robots.txt’)
print(request.data)

Request

Request library is used to access HTML pages where the GET request makes a web server to download the content of a given web page. How the request library is used is detailed below within the next few lines.

1. Import the library

       When using libraries in Python, there’s always a need to import it first before moving forward. Through this, the request library will be used to send HTTP requests and receive a response.

 

Code:

# import request

import request

2. Create a get request

       After successfully importing, start first by creating a get request first, and it is achieved by the request.get(web link).

 

Code:

# create a get request to make a request
page = requests.get("http://dataquestio.github.io/web-scraping-pages/simple.html")

 

3. Make an HTTP Response

        This library is sent majorly on the wire, and it is done by using the request method. Then the HTTP packet created in the previous line of code is now sent over the network to retrieve the response of the HTTP response.

 

Code:


# Make an HTTP response

print(page.status_code)

 

Conclusion

Moreover, Python is a very good language and to which is very helpful and highly recommendable to any security professional to create their custom tools so to obtain a good assessment.  

Security web applications, most times, create holes because they are unable to hit a certain page due to hidden reasons. A security professional can create reusable code by using python object orientation, which helps them to create classes that and be extended and inherited. 

I will implore you to browse more on how you could become a better security professional when it comes to making custom scripts.

Thank you.

 

 

Leave your thought here

Your email address will not be published. Required fields are marked *