Companies are increasingly looking for ways to check the security of their applications that do not demand a great deal of effort. Our security experts quickly came across test tools developed in Python. As a high-level programming language, Python makes it possible to quickly write operational programs that can be integrated comparatively easily into existing infrastructures. This fact has led to a veritable explosion of platform-independent support tools for Python in recent years.

To reduce complexity as much as possible, the open source applications that we are examining in this article follow the tried-and-tested KISS principle (keep it simple, stupid). This simplicity means that the programs can be easily integrated into existing pipelines or replaced by other solutions. With the help of pip, the Python package manager, the tools can be installed quite easily.

Checking the transport encryption with SSLyze

The open source programme SSLyze allows you to get a good overall impression of the transport encryption of a web server. A look at the help page with sslyze -help provides an overview of the supported commands. If, for example, a scan of a domain is to be carried out, it is sufficient to pass this as a position argument to SSLyze.

Example: sslyze [Domain]

• In the first step, we receive information on the certification chain used and its validity.
• Connections are then made sequentially with the SSL and TLS versions to be checked and the results are written to the terminal.
• In the final step, the cipher suites are analysed according to the current recommendations of the Mozilla Foundation with recommendations for action.

In addition, SSLyze includes a test against common attacks against incorrectly configured web servers. The complete scan by SSLyze only takes a few seconds.

Further arguments can be passed to SSLyze to greatly shorten the log output for the pipeline run. With --mozilla_config=intermediate (or modern or old), for example, you can test for strong encryption with good backwards compatibility with old browsers. In this case, the only output is the rule violations for the specified backwards compatibility guideline.

Further Information: https://github.com/nabla-c0d3/sslyze

Testing SQL injections with sqlmap

Another gateway for unwanted actors is an SQL injection.

But what exactly is an SQL injection?

If an input field is not validated correctly before the content is forwarded to the executing server, unwanted injections of foreign code can occur under certain circumstances. SQL injection is the execution of unwanted SQL code. This can result not only in the theft of data, but also in its complete deletion. To prevent this, the input fields must be regularly checked for correct validation.

One option for this is the sqlmap tool. It can be opened for an initial scan in interactive mode via sqlmap --wizard. In this mode, the required data is queried sequentially and then scanned. For use in a pipeline, we recommend passing the required parameters from the help page for the scan as an argument. In addition, you should not run the scan with every single build, as it can take a very long time under certain circumstances.

Further Information: https://github.com/sqlmapproject/sqlmap

Testing OS command injections with Commix

Commix is a tool that behaves in a similar way to sqlmap. Commix carries out a series of tests that target the operating system with injection attacks in order to gain direct access to the system level. Due to the many possible entry points, a scan can take up to several hours. In addition, the network should not be under load during this time, as Commix also tries out timing-based attacks.

As this is a test of the configuration of the underlying infrastructure,it is not necessary to run it with every build. We therefore recommend integrating it into a pipeline that is separate from the build process. For this purpose, Commix also offers a large number of parameters that can be viewed with commix --help.

Futher Information: https://github.com/commixproject/commix

Vulnerability scan using Wapiti

Unlike the previously presented tools that focus on specific vulnerabilities, Wapiti is characterised by its ability to detect a wide range of security issues. The list of identified vulnerabilities is available on the official website: https://github.com/wapiti-scanner/wapiti.

Wapiti also includes the scan of SSLyze, which emphasises its versatility. A simple command such as wapiti -u [URL] can be used to perform a quick check and the tool will then generate a detailed HTML report with the results.

Further Information: https://github.com/wapiti-scanner/wapiti

Conclusion

Gaining a security overview of your own software project does not have to be complicated. Quite the opposite - with minimal resources, important insights can be gained that efficiently uncover potentially costly security problems. To ensure that this view is not just a snapshot, but rather maintained continuously, it is advisable to integrate it into the project pipelines.

All of the tools presented are black box scanners and therefore do not have access to the target's source code. In addition to these applications, solutions for scanning the source code for programming errors and the libraries used for known security vulnerabilities (CVE) should also be used.

The overview compiled by our experts is only a selection and is therefore by no means complete. Programs such as smbmap and DNSRecon can further deepen the perspective on your own infrastructure.

As the possibilities for attacks grow with increasing technical progress, it is important to stay up to date. Our Xperts are already working on another article on security tools outside the realms of Python.