Download Constricting the Web: Offensive Python for Web Hackers

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
Document related concepts
no text concepts found
Transcript 
Marcin Wielgoszewski Security Engineer Nathan Hamiel Principal Consultant Associate Professor at UAT •  Reliance on tools can = Fail! –  Many more people tes4ng web apps –  Vendors play catch-­‐up –  Success is on your shoulders •  Difficult cases –  APIs and specialized data formats –  Sequenced opera4ons –  Randomized data •  Language specific –  Object-­‐oriented –  Byte compiled –  Fast •  Wide support –  Many security tools wriLen in Python –  Plenty of help available –  Plenty of resources for learning available Scapy w3af sqlmap Peach sulley Pyscan SpikeProxy Canvas DeBlaze Pcapy MyNav MonkeyFist wapi4 ProxyStrike Idapython •  CPython –  hLp://python.org •  Jython –  hLp://jython.org •  IronPython –  hLp://ironpython.net •  Start with hLp://python.org –  hLp://docs.python.org/ –  hLp://docs.python.org/tutorial/index.html •  Google’s Python Class –  hLp://code.google.com/edu/languages/google-­‐
python-­‐class/ •  There are differences between Python 2.x and 3.x •  Walk like a duck and quack like a duck Standard Lib • 
• 
• 
• 
• 
• 
• 
• 
hLplib urllib / urllib2 urlparse HTMLParser struct xml json (Python 2.6) difflib 3rd Party • 
• 
• 
• 
• 
• 
hLplib2 lxml zsi / suds PyAMF pydermonkey Twisted •  hLplib –  Standard HTTP Module –  Good for GETs and POSTs –  HTTP / HTTPS support •  hLplib2 –  Expanded HTTP method support –  Supports various auth methods –  Automa4cally follows 3xx redirects •  urllib –  High level module for opening resources –  Has URL encoding capabili4es •  urllib2 –  Expanded support for handlers •  Merged in Python 3 along with urlparse •  Examples •  Perform transi4on magic –  URL encoding and Escaping –  String methods (base64 / hex / rot13, etc) –  Data representa4ons (decimals / en44es / etc) •  DharmaEncoder –  Provides methods to encode and wrap values –  hLp://hexsec.com/labs •  Do the legwork –  Know your app –  Know your parameters –  Know your data •  Work smarter –  Create accurate ranges –  itertools methods –  Don’t empty the clip •  Web fuzzing lib for Python –  hLp://code.google.com/p/pywebfuzz/ –  Usable in Python 2.x –  Easy to distributable and repeat tests •  Convenience –  Fuzzdb values accessible through classes –  Request Logic –  Range genera4on and encoding /decoding •  Basic request fuzzing •  Finding an error condi4on •  First things first –  Determine content type, use appropriate parser –  Don’t use HTMLParser if html: use lxml.html elif xhtml: use lxml.etree elif xml: use lxml.etree elif json: use json •  State Issues –  Account login / logout –  Randomized values –  Maintaining proper state while tes4ng •  Request –  Process headers (referer and cookies) –  Unable to parse content properly –  Resort to regular expressions •  Selenium –  hLp://seleniumhq.org/ •  Windmill –  hLp://www.getwindmill.com/ •  Firefox / XULRunner –  pyxpcomext •  hLp://pyxpcomext.mozdev.org/no_wrap/tutorials/pyxulrunner/
python_xulrunner_about.html •  Webkit –  PyGtk / PyWebKitGtk •  hLp://code.google.com/p/pywebkitgtk/ –  PyQT •  hLp://wiki.python.org/moin/PyQt4 –  PySide (Official Support from Nokia) •  hLp://www.pyside.org/ •  Render returned requests from other libs in just a couple of lines of code from PyQt4.QtGui import *
from PyQt4.QtWebKit import *
import httplib2
http = httplib2.Http()
headers, content = http.request("http://python.org", "GET")
app = QApplication(sys.argv)
web = QWebView()web.setHtml(content)
web.show()
sys.exit(app.exec_())
•  Tradi4onal –  ZSI –  Suds •  RESTful –  Both High and Low Rest –  hLplib –  hLplib2 •  Example •  Iden4fy issues passively –  Cookie issues –  Cache-­‐control –  Encoding issues •  Augment other tools –  Perform inspec4on on captured data –  Use your favorite inspec4on proxy –  No need to send data to endpoint • 
• 
• 
• 
PyAMF is most popular Ac4on Message Format encoder/decoder Create remo4ng clients, gateways Bind client-­‐side classes to server-­‐side POJOs •  Start with a simple Python design paLern class Factory(object): def __init__(self, *args, **kwargs): self.__dict__.update(kwargs) pyamf.register_class(Factory, "namespace.of.object.Class") •  You’re presented with an app that communicates via a custom binary protocol •  Oh what to do without my scanner… •  Convert between Python values and C structs U8
U16
UTF-8
DOUBLE
=
=
=
=
;
unsigned 8-byte integer
unsigned 16-byte integer
U16 * (UTF8-char) ; as defined in RFC3629
8-byte IEEE-754 double precision
floating point in network byte order msg
message-count
parameters
number-marker
boolean-marker
string-marker
number-type
boolean-type
string-type
=
=
=
=
=
=
=
=
=
message-count parameters U16
number-type | boolean-type | string-type
0x00
0x01
0x02
number-marker DOUBLE
boolean-marker U8
string-marker UTF-8
•  Write the appropriate type-­‐marker to buffer •  Followed by the value as a Double buf.write("\x00") buf.write(struct.pack("!d", val) •  Reading is just the opposite •  Struct unpacks into a Tuple while pos < len(buf): ..snip.. if buf[pos] == "\0x00": pos += 1 val = struct.unpack("!d", buf[pos:pos+8])[0] pos += 8 •  Wri4ng a Boolean def write_bool(buf, val): buf.write("\x01") buf.write(struct.pack("?", val)) •  Parsing a Boolean while pos < len(buf) + 1: ..snip.. if buf[pos] == "\0x01": pos += 1 val = struct.unpack("?", buf[pos])[0] pos += 1 •  Wri4ng a String def write_string(buf, val): u = val.encode("utf-­‐8") strlen = len(u) buf.write("\x02") buf.write("H%ds" % strlen, strlen, u) •  Parsing a String while pos < len(buf) + 1: ..snip.. if buf[pos] == "\0x02": pos += 1 s_len = struct.unpack("H", buf[pos:pos+2])[0] pos += 2 val = struct.unpack("%ds" % strlen, buf[pos:pos+s_len])[0] pos += s_len •  You may have no4ced that we wrote a simple state-­‐machine •  A while loop that iterates over a buffer, keeping track of the state it’s in •  Here’s a cookie: <cookie pic here> def decode(buf): state = "START" while pos < len(buf): if state == "START": # get message count elif state == "MARKER": # parse marker elif state == "NUMBER": # parse number elif state == "BOOL": # parse boolean elif state == "STRING": # parse string
Related documents
Marketing Makes a Difference
Marketing Makes a Difference
may11
may11
Review guide - Mrs Hasseld
Review guide - Mrs Hasseld
Theme: Programming in Python Developed by: Matt Coles and Cole
Theme: Programming in Python Developed by: Matt Coles and Cole
Slides
Slides
Matching DNA Sequences
Matching DNA Sequences
Job Title: In Store Marketing Coordinator Job Purpose: To deliver
Job Title: In Store Marketing Coordinator Job Purpose: To deliver
Version 2 (140509) - ATS
Version 2 (140509) - ATS
Job Title: In Store Marketing Specialist Job Purpose: To deliver
Job Title: In Store Marketing Specialist Job Purpose: To deliver
View/Open
View/Open