O'Reilly Network    


 Published on The O'Reilly Network (http://www.oreillynet.com/)
 http://www.oreillynet.com/pub/wlg/8201

Web Application Security Testing Using twill

by Nitesh Dhanjani
Oct. 25, 2005

I just came across twill, a Python based tool for web application testing. It can be used interactively (command-line) or via a Python script. Below is a quick example on how to use twill so submit a form (HTTP POST). I’ve used Google for demonstration purposes. Note that all user input is represented in bold.


Startup twill:
$ ./twil-sh
-= Welcome to twill! =-


current page: *empty page*

Goto http://google.com/ and show form details:
>> go http://google.com/
==> at http://www.google.com/
current page: http://www.google.com/
>> showforms
Form name=f
## __Name______ __Type___ __ID________ __Value__________________
hl hidden (None) en
ie hidden (None) ISO-8859-1
q text (None)
1 btnG submit (None) Google Search
2 btnI submit (None) I'm Feeling Lucky
current page: http://www.google.com/

Use “oreilly” for the query (q) paramter, and submit using “I’m Feeling Lucky”:
>> fv 1 q oreilly
current page: http://www.google.com/
>> submit btnI
Note: submit is using submit button: name="btnI", value="I'm Feeling Lucky"
current page: http://www.oreilly.com/

Our search succeeded, and we are now at http://www.oreilly.com/ (redirected by Google because we submitted using the "I'm Feeling Lucky" option). Next, lets list forms on http://www.oreilly.com/:
>> showforms
Form #1
## __Name______ __Type___ __ID________ __Value__________________
sp-a hidden (None) sp1000a5a9
sp-f hidden (None) ISO-8859-1
sp-t hidden (None) search
sp-x-1 hidden (None) cat
sp-x-2 hidden (None) cat2
sp-q-1 hidden (None)
sp-q-2 hidden (None)
sp-c hidden (None) 25
sp-k hidden (None) Articles|Books|Conferences|Other|Weblogs
sp-q text (None)
1 search submit (None) Go
current page: http://www.oreilly.com/


Show cookies acquired so far:
>> show_cookies


There are 1 cookie(s) in the cookiejar.


<Cookie PREF=ID=cf692c05eddeb4e8:TM=1130266168:LM=1130266168:S=5XixcWgCmokEZC0m for .google.com/>


current page: http://www.oreilly.com/
I see how twill can be very useful in performing security assessments against web applications. twill makes it easy to submit forms for input validation testing (XSS, SQL Injection, etc), look at hidden HTML tags, cookie details, etc. The twill website has more details on how to use twill in a Python script. This can be useful when you need to automate twill actions. Also, see “Web app testing with Python 3: twill” for more examples.

Nitesh Dhanjani is a well known security researcher, author, and speaker. Dhanjani has been invited to talk at various information security events such as the Black Hat Briefings, RSA, Hack in the Box, Microsoft Blue Hat, and OSCON.

oreillynet.com Copyright © 2006 O'Reilly Media, Inc.