Shulou(Shulou.com)06/02 Report--

This article introduces you how to use Python for violence testing of HTTP abstract authentication, the content is very detailed, interested friends can refer to, hope to be helpful to you.

As an authentication method, the biggest deficiency of HTTP basic authentication is the lack of security. First of all, the Base64 encoding and encryption it uses is simply weak and plaintext transmission is easy to be intercepted and stolen; second, there is a funny Bug in HTTP basic authentication, that is, after logging in with it, the login state will always be saved unless the browser is closed or the browser cache is cleared. Another is that basic authentication is vulnerable to replay attacks (an attacker sends a packet that has been received by the destination host to deceive the system)

In order to make up for the shortcomings of the above basic authentication, a HTTP digest authentication (Digest Authentication) is defined in HTTP1.1.

The principle of HTTP digest authentication is very similar to basic authentication, in which the client sends a request without authentication, and then the server responds to a response with a www-Authenticate header indicating the authentication required by the request.

Unlike basic authentication, digest authentication uses the MD5 algorithm to hash usernames and passwords with random numbers.

By hashing the user name and password, the password can be hidden, while the replay attack can be avoided by adding random numbers.

Next, let's take a look at the password brute force test for HTTP digest authentication, which has improved the security level.

three

Brute force password testing HTTP digest authentication

Students who are familiar with the requests module should know that the requests module provides support based on a variety of identities, and the previous test of basic authentication was also conducted through the attributes in the requests module.

The requests module's support for authentication is provided through the authsub-module.

With the following code, you can complete an HTTP summary authentication (the example is from the official document):

Here, with the help of requests's auth module, we improve our password violence tester and add support for HTTP digest authentication.

First, the authentic sub-module of the requests module is introduced based on the previous version of the code:

Because we want to support both basic authentication and digest authentication, we need a parameter that specifies the authentication method. So, you need to add a parameter-m, first in the usage () function:

Then you need to add a method parameter to the request_performer () class and a judgment for method in the run () method:

Then add the accept method parameter to the start () function:

The launcher_thread () function used to start the thread also needs to add the method parameter:

four

Verify the new program

After the code modification is complete, let's test the new program.

We already know that the http://www.scruffybank.com/Admin/ link is the basic authentication used, what about the other links? We can judge in the request header:

First, take a look at the request header of http://www.scruffybank.com/Admin/:

Let's take a look at the link that forbids search engine crawlers from crawling in the robots.txt file found by http://zmister.com/archives/180.html in writing resource explorer: / backoffice

We visit it and find that login authentication is also required, so let's run our new password brute force tester:

Let's first try using basic authentication and run it on the command line:

As a result, the password was not tested, so we changed it to digest authentication:

Ah, prompt us to find the password: admin123, it seems to have been successful. Let's use this password to log in on the web page and have a look:

The login is successful. Let's take a look at the request header:

This is indeed a page that uses HTTP digest authentication for authentication.

In this way, we have completed the addition of new features to our password brute force tester-support for HTTP digest authentication.

On how to use Python for HTTP summary authentication violence testing is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.