AppSecDC Recap: Python Basics for Web App Pentesters

April 4, 2012
By

Post to Twitter Post to Facebook Post to Reddit

Headshot of Justin SearleI had the opportunity to attend the “Python Basics for Web App Pentesters – Part 2″ by Justin Searle. Being someone that hasn’t program for a good number of years, this Python talk really appealed to me. I’ve been wanting to relearn to code again to simplify or automate some of my day-to-day security-related tasks. This talk seemed right up my alley!

There are many languages out there that might fit the infosec pros’ needs however Justin suggested that if you are learning a language for the first time (or picking it up again after a long break in my case), Python might be the way to go. He touched on some of its advantages, e.g., it being cross-platform (assuming you use the standard library) and fairly feature rich (not as much as Perl but better than Ruby). Of course there are some frustrations  as well. The language requires mandatory whitespace, which on the other hand, is probably a good thing. You’ll actually be able to read you code years down the road. And if it turns out you really love Python … you can even make it your permanent shell.

Justin continued on providing several code examples of things a web application security pro might want to do. When working over the web in Python the big decision is what library to use. The two prevailing ones are httplib, the older of the two, and urllib2. Justin recommended using urllib2 since it’s more up-to-date and powerful. Basically httplib forces the developer to manually do a lot of the legwork while urllib2 handles much of these lower level functions. Assuming urllib2 Justin continued on illustrating input/output, filtering, basic authentication, fuzzing, get/post requests, cookie jars, and multi-threading.

One of the big controversies with Python is to use the 2.x or 3.x branch. At this point most developers still use 2.x but Justin feels 3.x is on the cusp of gaining traction in the next year or two. For those new to Python he’s learning towards recommending the 3.x branch.

As a final note, Justin mentioned that he is working on a bunch of code examples that should cover much of what web application security pros would be interested in. I’d definitely be on the lookout for this!

#####

Did you attend this talk? Let us know what you thought. Today’s post pic is from OWASP.org. See ya!

Tags: , , ,

7 Responses to AppSecDC Recap: Python Basics for Web App Pentesters

  1. (@novainfosec) (@novainfosec) on April 4, 2012 at 5:18 pm

    #NOVABLOGGER: AppSecDC Recap: Python Basics for Web App Pentesters http://t.co/VDGDxtAZ http://t.co/Inu1SfcI

  2. (@novainfosec) (@novainfosec) on April 4, 2012 at 7:15 pm

    Python Basics for Web App Pentesters http://t.co/VDGDxtAZ A recap of a talk at AppSecDC. #ASDC12

  3. (@csec) (@csec) on April 4, 2012 at 9:15 pm

    AppSecDC Recap: Python Basics for Web App Pentesters: [nova#infosecportal.com] I had the opportunity to attend… http://t.co/3XtCUImm

  4. (@novainfosec) (@novainfosec) on April 4, 2012 at 10:39 pm

    Python Basics for Web App Pentesters http://t.co/VDGDxtAZ Nice talk. Can’t wait for the “cookbook.” #ASDC12

  5. (@KelvinLomboy) (@KelvinLomboy) on April 4, 2012 at 11:48 pm

    AppSecDC Recap: Python Basics for Web App Pentesters http://t.co/bocedoO9

  6. (@grecs) (@grecs) on April 5, 2012 at 6:45 pm

    Python Basics for Web App Pentesters http://t.co/Rl0QDH81 Nice talk fr #ASDC12.

  7. s3v3n on September 2, 2012 at 1:13 am

    Nice web app for code104 black hats ;) btw most of core members know about it :P

Leave a Reply

Your email address will not be published. Required fields are marked *


About Us

Founded in 2008, NoVA Infosec is dedicated to the community of Metro DC-based security professionals and whitehat hackers involved in the government and other regulated verticals. Find out more on our About Us page.