During Web Application Penetration tests I always need to automate requests, e.g. for fuzzing. While most of the local proxy\/testing softwares (Burp, WebScarab, w3af, etc.) include a repeater\/fuzzer feature, I often want to do addtional computations in python (e.g. calculating a hash and sending it as a fuzzed value or comparing parts of the response). The following script will take an entire HTTP(S) request as a string, parse it and send it to the server. As I show with the POST parameter “fuzzableParam” in this example, values can easily be fuzzed.<\/p>\n
\r\ndef send_this_request(http_request_string, remove_headers=None):\r\n """\r\n Always HTTP\/1.1\r\n """\r\n import urllib2\r\n if remove_headers is None:\r\n remove_headers=['content-length', 'accept-encoding', 'accept-charset', \r\n 'accept-language', 'accept', 'keep-alive', 'connection', 'pragma', \r\n 'cache-control']\r\n for i, remove_header in enumerate(remove_headers):\r\n remove_headers[i] = remove_header.lower()\r\n if '\\n\\n' in http_request_string:\r\n headers, body = http_request_string.split('\\n\\n',1)\r\n else:\r\n headers = http_request_string\r\n body = None\r\n headers = headers.split('\\n')\r\n request_line = headers[0]\r\n headers = headers[1:]\r\n\r\n method, rest = request_line.split(" ", 1)\r\n url, protocol = rest.rsplit(" ", 1)\r\n\r\n merge_host_header_into_url = False\r\n if url.startswith("http"):\r\n merge_host_header_into_url = False\r\n elif url.startswith("\/"):\r\n info("Warning: Defaulting to HTTP. Please write URL as https:\/\/ if you want SSL")\r\n merge_host_header_into_url = True\r\n else:\r\n fatalError("Protocol not supported. URL must start with http or \/")\r\n\r\n header_tuples = []\r\n for header in headers:\r\n name, value = header.split(": ", 1)\r\n if merge_host_header_into_url and name.lower() == 'host':\r\n url = 'http:\/\/'+value+url\r\n if not name.lower() in remove_headers:\r\n header_tuples.append((name, value))\r\n \r\n opener = urllib2.build_opener()\r\n opener.addheaders = header_tuples\r\n urllib2.install_opener(opener)\r\n\r\n try:\r\n return urllib2.urlopen(url, body, 15).read()\r\n except urllib2.HTTPError, e:\r\n info('The server couldn\\'t fulfill the request. Error code:', e.code)\r\n except urllib2.URLError, e:\r\n info("URLError:", e.reason)\r\n except Exception, e:\r\n error("DIDNT WORK:", e)\r\n \r\ndef info(*text):\r\n print "[PY-INFO] "+str(" ".join(str(i) for i in text))\r\n\r\ndef error(*text):\r\n print "[PY-ERROR] "+str(" ".join(str(i) for i in text))\r\n\r\nrequest = '''POST http:\/\/example.com\/ HTTP\/1.1\r\nHost: example.com\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 115\r\nContent-Type: application\/x-www-form-urlencoded;charset=utf-8\r\nReferer: http:\/\/example.com\r\nContent-Length: 132\r\nCookie: test=somevalue; abc=123\r\nDNT: 1\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\nid=123&fuzzableParam='''\r\n\r\nadditionalValue = "&anotherParam=abc"\r\n\r\nfor i in ['78', '-1']:\r\n print send_this_request(request+i+additionalValue)\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"During Web Application Penetration tests I always need to automate requests, e.g. for fuzzing. While most of the local proxy\/testing softwares (Burp, WebScarab, w3af, etc.) include a repeater\/fuzzer feature, I often want to do addtional computations in python (e.g. calculating … Continue reading