Table of Contents for
Python Web Penetration Testing Cookbook
Python Web Penetration Testing Cookbook
Published by
Packt Publishing, 2015
- Cover
- Table of Contents
- Python Web Penetration Testing Cookbook
- Python Web Penetration Testing Cookbook
- Credits
- About the Authors
- About the Reviewers
- www.PacktPub.com
- Disclamer
- Preface
- What you need for this book
- Who this book is for
- Sections
- Conventions
- Reader feedback
- Customer support
- 1. Gathering Open Source Intelligence
- Gathering information using the Shodan API
- Scripting a Google+ API search
- Downloading profile pictures using the Google+ API
- Harvesting additional results from the Google+ API using pagination
- Getting screenshots of websites with QtWebKit
- Screenshots based on a port list
- Spidering websites
- 2. Enumeration
- Performing a ping sweep with Scapy
- Scanning with Scapy
- Checking username validity
- Brute forcing usernames
- Enumerating files
- Brute forcing passwords
- Generating e-mail addresses from names
- Finding e-mail addresses from web pages
- Finding comments in source code
- 3. Vulnerability Identification
- Automated URL-based Directory Traversal
- Automated URL-based Cross-site scripting
- Automated parameter-based Cross-site scripting
- Automated fuzzing
- jQuery checking
- Header-based Cross-site scripting
- Shellshock checking
- 4. SQL Injection
- Checking jitter
- Identifying URL-based SQLi
- Exploiting Boolean SQLi
- Exploiting Blind SQL Injection
- Encoding payloads
- 5. Web Header Manipulation
- Testing HTTP methods
- Fingerprinting servers through HTTP headers
- Testing for insecure headers
- Brute forcing login through the Authorization header
- Testing for clickjacking vulnerabilities
- Identifying alternative sites by spoofing user agents
- Testing for insecure cookie flags
- Session fixation through a cookie injection
- 6. Image Analysis and Manipulation
- Hiding a message using LSB steganography
- Extracting messages hidden in LSB
- Hiding text in images
- Extracting text from images
- Enabling command and control using steganography
- 7. Encryption and Encoding
- Generating an MD5 hash
- Generating an SHA 1/128/256 hash
- Implementing SHA and MD5 hashes together
- Implementing SHA in a real-world scenario
- Generating a Bcrypt hash
- Cracking an MD5 hash
- Encoding with Base64
- Encoding with ROT13
- Cracking a substitution cipher
- Cracking the Atbash cipher
- Attacking one-time pad reuse
- Predicting a linear congruential generator
- Identifying hashes
- 8. Payloads and Shells
- Extracting data through HTTP requests
- Creating an HTTP C2
- Creating an FTP C2
- Creating an Twitter C2
- Creating a simple Netcat shell
- 9. Reporting
- Converting Nmap XML to CSV
- Extracting links from a URL to Maltego
- Extracting e-mails to Maltego
- Parsing Sslscan into CSV
- Generating graphs using plot.ly
- Index
When performing your reconnaissance, you may come across parts of web applications that will allow you to determine whether or not certain usernames are valid. A prime example of this will be a page that allows you to request a password reset when you have forgotten your password. For instance, if the page asks that you enter your username in order to have a password reset, it may give different responses depending on whether or not a user with that username exists. So, if a username doesn't exist, the page may respond with Username not found, or something similar. However, if the username does exist, it may redirect you to the login page and inform you that Password reset instructions have been sent to your registered email address.
Each web application may be different. So, before you go ahead and create your username checking tool, you will want to perform a reconnaissance. Details you will need to find will include the page that is accessed to request a password reset, the parameters that you need to send to this page, and what happens in the event of a successful or failed outcome.
Once you have the details of how the password reset request works on the target, you can assemble your script. The following is an example of what your tool will look like:
#basic username check
import sys
import urllib
import urllib2
if len(sys.argv) !=2:
print "usage: %s username" % (sys.argv[0])
sys.exit(0)
url = "http://www.vulnerablesite.com/resetpassword.html"
username = str(sys.argv[1])
data = urllib.urlencode({"username":username})
response = urllib2.urlopen(url,data).read()
UnknownStr="Username not found"
if(response.find(UnknownStr)<0):
print "Username does not exist\n"
else
print "Username exists!"The following shows an example of the output produced when using this script:
user@pc:~# python usernamecheck.py randomusername Username does not exist user@pc:~# python usernamecheck.py admin Username exists!
After the number of arguments have been validated and the arguments have been assigned to variables, we use the urllib module in order to encode the data that we are submitting to the page:
data = urllib.urlencode({"username":username})We then look for the string that indicates that the request failed due to a username that does not exist:
UnknownStr="Username not found"
The result of find (str) does not give a simple true or false. Instead, it will return the position in the string that the substring is found in. However, if it does not find the substring you are searching for, it will return 1.
This recipe can be adapted to other situations. Password resets may request e-mail addresses instead of usernames. Or a successful response may reveal the e-mail address registered to a user. The important thing is to look out for situations where a web application may reveal more than it should.