By: Shimon Brathwaite
August 11, 2021
Python Programming For Web Application Testing
By: Shimon Brathwaite
August 11, 2021
Web application testing is an important part of developing secure software applications. When creating an application, the first and most important procedure is using secure coding practices. These help to limit the number of vulnerabilities that an application may have. However, one won’t know how secure the code is until it’s been tested. Many people think that one must do a pentest to test an application’s security, but there is a lot that one can do to try the application personally. This tutorial is going to focus on how to do web application testing for Python applications.
Why is web application testing important?
When developing an application, the focus is typically on giving the application all of the functionality necessary. However, this usually assumes that the user is going to give a certain type of input. In a real-life scenario, users can give some unexpected input. For example, suppose the application isn’t designed to handle all types of input properly. In that case, it can cause the application to crash, return bad error codes, or give hackers a potential entry point into the environment. To test against this, use a technique called “application fuzzing.” Fuzzing means using automated software to provide invalid, unexpected, or random data as inputs to a computer program. Sending large amounts of random data to the application and observing the results gives a cue as to whether the application is well designed or not.
In addition to unexpected inputs, some users will intentionally try to hack into a web application. Not only will these users input well-crafted lines of code to perform injection attacks such as XSS or SQL injections, but they will also use many different types of web-based attacks to find ways to break into the application. Python has several libraries that give developers access to the same functionality that these attackers will use to scan or exploit applications. By learning how to use these applications, one can test applications ahead of time, making sure they are resistant to these attacks.
How to do application testing in Python
Faker is a python library dedicated to producing fake data that can be used to test applications. This makes it one of the best applications for application fuzzing, using some of the most commonly used outputs such as fake names, addresses, email, URL, and text messages. A simple example of how to use Faker to generate some fake data:
As you can see, the commands for generating data using Faker are quite simple and provide various possible inputs, depending on the type that you specify. While this doesn’t test an application for intentional cyberattacks, it does test the application’s ability to handle different types of outputs. For a full article outlining the basics of Faker and how to use it, check out this article.
As the name suggests, this library is dedicated to automating unit testing in Python. A unit test in Python is a testing method that tests individual units of source code. Unittest allows testing individual units against multiple use cases to see if the application handles the input without error.
Nmap is a well-known port scanner commonly used in the initial stages to identify vulnerable services running on a machine. There is a Python library called Nmap that allows you to access the same functionality in Python scripts. This allows developers to scan their web applications to see what services are visible from outside their networks. Depending on the findings, they may want to disable certain services or ports to prevent them from being exploited.
This library allows one to send HTTP requests or customize content like headers, form data, multipart files, and parameters. For web applications, this allows a dev to make some custom exploits that can bypass the security features of many web applications. A study by Imperva found that Requests was the most popular Python library used in web application attacks. It’s used in approximately 89% of Python attacks against web applications.
Anyone who has used a tool like Wireshark knows what a packet sniffer is. A packet sniffer is a tool that allows one to intercept and read data packets between two endpoints. Scapy is a Python-based packet manipulation library that allows forging and decoding data packets across several protocols. For example, using scapy can perform ARP cache poisoning, VOIP decoding, and sending invalid frames.
A socket is a low-level network interfacing Python library that allows the creation of client-server connections. For web application testing, it’s very useful because it makes a connection to a specific machine on a specified port, with a specified protocol, and sends data to the machine via that method. Essential Socket allows you to set up a machine as a server and interact with other machines. This way, a tester can establish connections to a web server and extract data from the machine as part of a penetration test. Here is a visual representation of what can be done with Socket:
Source @ wikimedia
For a full tutorial on Socket’s capabilities, you can find a full tutorial here.
Best Resources for Learning Python in web application testing:
Developing ethical hacking tools with Python: This course teaches how to develop ethical hacking software using Python. These tools will allow testing applications in a more customized way than just using standard industry tools.
Violent Python: This book is the most popular book on using Python for ethical hacking. It goes in-depth on Python and explains many of the Python libraries highlighted in this article. In addition, it explains exactly how the code works, with examples for gaining a strong understanding of each function in the library and learning how to manipulate them as needed.
Codewars: This website is a great place to get practical experience writing code and unit testing your application. Codewars is a platform that offers challenges (katas) that force developers to solve problems in the coding language of their choice. Each challenge tests the application’s ability to handle irregular inputs to provide the correct solution. Doing these challenges provides practical experience in writing programs that are built to handle all types of inputs.
The Python programming language comes with many libraries that are great for web application testing. Application testing is important for two main reasons. First, making sure that, regardless of what inputs are provided to the application, it can process input without giving an error or incorrect answer. Second, testing the security of an application to ensure that it has the lowest number of vulnerabilities possible.