filmov
tv
Python: Endpoint Tester - Testing endpoints for data validation and fuzz
Показать описание
The code for this Python utility is at:
*As always, only test web applications you have permission to test*
Concept:
A Python script for testing security and functionality of Web Application Endpoints.
While front end may or may not have validation for POSTs to the backend, attacks can come directly to the back end endpoints of an application.
The script makes use of the "requests" module in Python (in order to capture user Session cookies after logging in) and then with the proper session it iterates over a dictionary of endpoints, and their corresponding JSON Payload.
The JSON Payload is replaced adhoc where there might be fragile code elements.
The script makes use of data manipulation (XSS, mix encoding, etc) as well as Fuzzing. The fuzzer takes a character ("A" for example) and user input for how much of a buffer to create. It then creates a list of values of the character, to the user specification. Then it passes each string to each endpoint, working its way up to the largest character string created.
Other Tools:
This doesn't replace the need for utilities like BurpSuite or OWASP's ZAP.
This simply is a quick utility to vet your specific endpoints against specified attack vectors. It is in no way meant to replace other tools which are updated by the InfoSec community.
Links:
For XSS attack vectors, I used the OWASP XSS Cheat Sheet:
ZAP:
BurpSuite:
*As always, only test web applications you have permission to test*
Concept:
A Python script for testing security and functionality of Web Application Endpoints.
While front end may or may not have validation for POSTs to the backend, attacks can come directly to the back end endpoints of an application.
The script makes use of the "requests" module in Python (in order to capture user Session cookies after logging in) and then with the proper session it iterates over a dictionary of endpoints, and their corresponding JSON Payload.
The JSON Payload is replaced adhoc where there might be fragile code elements.
The script makes use of data manipulation (XSS, mix encoding, etc) as well as Fuzzing. The fuzzer takes a character ("A" for example) and user input for how much of a buffer to create. It then creates a list of values of the character, to the user specification. Then it passes each string to each endpoint, working its way up to the largest character string created.
Other Tools:
This doesn't replace the need for utilities like BurpSuite or OWASP's ZAP.
This simply is a quick utility to vet your specific endpoints against specified attack vectors. It is in no way meant to replace other tools which are updated by the InfoSec community.
Links:
For XSS attack vectors, I used the OWASP XSS Cheat Sheet:
ZAP:
BurpSuite:
0:37:24
0:15:56
0:16:06
0:08:09
0:14:20
0:13:29
0:04:27
2:09:38
0:06:07
0:08:24
0:05:08
0:00:10
0:00:32
0:06:40
19:00:27
0:08:30
0:10:12
0:07:24
0:07:32
0:14:22
0:04:16
0:20:04
0:15:10
0:11:50