Python Scripting Engine - The Art Of Browser Automation with Python

The Python Scripting Engine has following options -

Python Scripting Engine:
  --python PYTHON       Executes provided python code.
  --python-after PYTHON_AFTER
                        Executes provided python code after single fuzzing attempt of form.
  --python-file PYTHON_FILE
                        Reads and Executes provided python code from file.

The Python Scripting Engine allows users to custom python code before/after fuzzing the form and control the browser object. It provides the driver to automate and interact with the running browser using python.

The --python options takes python from pentester and executes it. The --python-after is same just executes python after --button is pressed. The --python-file is same as --python option just takes .js files to execute.

This provides insane amount of flexibility, extendibility and modification. You can interact with the browser using driver object provided by Python Scripting Engine.

This allows users to do whatever they want to do, just the barrier is imagination.

Few things which you can do with this are -

- Create python code to crack the captchas
- Fuzz multi pages forms
- Automate browser further using the browser object provided by Python Scripting Engine, which is not possible via javascript option
- Tackle the complex navigation by automating the browser

For Example, following is the code we used to fuzz the two page application. First page requires users to enter the mobile number and other page verifies that number. Now I want to fuzz the second web page so I wrote the following python code to automate the first page, and then fuzz the second page using BrowserBruter :

python3 BrowserBruter.py --elements text-center --button font-semibold --payloads usernames.txt --target https://localhost.com/ --attack 1 --python "e1 = driver.find_element(By.CSS_SELECTOR, 'input.w-full.text-center'); e1.send_keys('0987654321'); driver.find_element(By.CSS_SELECTOR, 'button.btn-primary.mt-6.w-full.font-semibold').click(); sleep(0.5)"

Here,

--elements text-center is the text field which takes the otp on second page
--button font-semibold is the button to be pressed on the second page
--payloads usernames.txt is file containing payloads
--target https://localhost.com/ is the target application
--attack 1 specifies that this is sniper attack
--python "e1 = driver.find_element(By.CSS_SELECTOR, 'input.w-full.text-center'); e1.send_keys('0987654321'); driver.find_element(By.CSS_SELECTOR, 'button.btn-primary.mt-6.w-full.font-semibold').click(); sleep(0.5)" is the python code to automate the first page of the flow.

This was an actual real world application we fuzzed using the BrowserBruter and automated the two page registration flow using Python Scripting Engine as shown below -

Note: the details like target and scope are confidential that's why they are hidden in above image.

So this is how you can utilize the Python Scripting Engine do whatever you want to do.

Hope on to the next section to learn about options that alter the working of Browser.

Python Scripting Engine

Python Scripting Engine - The Art Of Browser Automation with Python

results matching ""

No results matching ""