I had the opportunity to attend the “Python Basics for Web App Pentesters – Part 2” by Justin Searle. Being someone that hasn’t program for a good number of years, this Python talk really appealed to me. I’ve been wanting to relearn to code again to simplify or automate some of my day-to-day security-related tasks. This talk seemed right up my alley!
There are many languages out there that might fit the infosec pros’ needs however Justin suggested that if you are learning a language for the first time (or picking it up again after a long break in my case), Python might be the way to go. He touched on some of its advantages, e.g., it being cross-platform (assuming you use the standard library) and fairly feature rich (not as much as Perl but better than Ruby). Of course there are some frustrations as well. The language requires mandatory whitespace, which on the other hand, is probably a good thing. You’ll actually be able to read you code years down the road. And if it turns out you really love Python … you can even make it your permanent shell.
Justin continued on providing several code examples of things a web application security pro might want to do. When working over the web in Python the big decision is what library to use. The two prevailing ones are httplib, the older of the two, and urllib2. Justin recommended using urllib2 since it’s more up-to-date and powerful. Basically httplib forces the developer to manually do a lot of the legwork while urllib2 handles much of these lower level functions. Assuming urllib2 Justin continued on illustrating input/output, filtering, basic authentication, fuzzing, get/post requests, cookie jars, and multi-threading.
One of the big controversies with Python is to use the 2.x or 3.x branch. At this point most developers still use 2.x but Justin feels 3.x is on the cusp of gaining traction in the next year or two. For those new to Python he’s learning towards recommending the 3.x branch.
As a final note, Justin mentioned that he is working on a bunch of code examples that should cover much of what web application security pros would be interested in. I’d definitely be on the lookout for this!
Did you attend this talk? Let us know what you thought. Today’s post pic is from OWASP.org. See ya!