Web Application Security Testing Using twill

Email.Email weblog link
Blog this.Blog this
Nitesh Dhanjani

Nitesh Dhanjani
Oct. 25, 2005 12:38 PM

Atom feed for this author. RSS 1.0 feed for this author. RSS 2.0 feed for this author.

I just came across twill, a Python based tool for web application testing. It can be used interactively (command-line) or via a Python script. Below is a quick example on how to use twill so submit a form (HTTP POST). I’ve used Google for demonstration purposes. Note that all user input is represented in bold.

Startup twill:
$ ./twil-sh
-= Welcome to twill! =-

current page: *empty page*

Goto http://google.com/ and show form details:
>> go http://google.com/
==> at http://www.google.com/
current page: http://www.google.com/
>> showforms
Form name=f
## __Name______ __Type___ __ID________ __Value__________________
hl hidden (None) en
ie hidden (None) ISO-8859-1
q text (None)
1 btnG submit (None) Google Search
2 btnI submit (None) I'm Feeling Lucky
current page: http://www.google.com/

Use “oreilly” for the query (q) paramter, and submit using “I’m Feeling Lucky”:
>> fv 1 q oreilly
current page: http://www.google.com/
>> submit btnI
Note: submit is using submit button: name="btnI", value="I'm Feeling Lucky"
current page: http://www.oreilly.com/

Our search succeeded, and we are now at http://www.oreilly.com/ (redirected by Google because we submitted using the "I'm Feeling Lucky" option). Next, lets list forms on http://www.oreilly.com/:
>> showforms
Form #1
## __Name______ __Type___ __ID________ __Value__________________
sp-a hidden (None) sp1000a5a9
sp-f hidden (None) ISO-8859-1
sp-t hidden (None) search
sp-x-1 hidden (None) cat
sp-x-2 hidden (None) cat2
sp-q-1 hidden (None)
sp-q-2 hidden (None)
sp-c hidden (None) 25
sp-k hidden (None) Articles|Books|Conferences|Other|Weblogs
sp-q text (None)
1 search submit (None) Go
current page: http://www.oreilly.com/

Show cookies acquired so far:
>> show_cookies

There are 1 cookie(s) in the cookiejar.

<Cookie PREF=ID=cf692c05eddeb4e8:TM=1130266168:LM=1130266168:S=5XixcWgCmokEZC0m for .google.com/>

current page: http://www.oreilly.com/
I see how twill can be very useful in performing security assessments against web applications. twill makes it easy to submit forms for input validation testing (XSS, SQL Injection, etc), look at hidden HTML tags, cookie details, etc. The twill website has more details on how to use twill in a Python script. This can be useful when you need to automate twill actions. Also, see “Web app testing with Python 3: twill” for more examples.

Nitesh Dhanjani is a well known security researcher, author, and speaker. Dhanjani has been invited to talk at various information security events such as the Black Hat Briefings, RSA, Hack in the Box, Microsoft Blue Hat, and OSCON.

Return to weblogs.oreilly.com.

Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express, and O'Reilly Media, Inc., disclaims any and all liabililty for that content, its accuracy, and opinions it may contain.

Creative Commons License This work is licensed under a Creative Commons License.