 This is constricting the web, offensive Python for web hackers, so if you didn't know that, you're in the wrong talk. I am Nathan Hamill. I'm a principal consultant for fishnet security on the application security team. And I'm also an associate professor at the university advancing technology. And I'm Marston Vilkyshevsky. I'm not going to ask you guys to repeat that. But I'm a security engineer. I got them digital science. I do web shit. So. Kind of the reason we decided to do this talk is because there's a lot of people who are starting to get more into testing web applications. And web applications are becoming more complicated. So when first things people usually reach for are their toolkits. So maybe it's app scan or web inspect. But they don't really give you the whole picture. A lot of times vendors are playing catch up. So with new technologies like flash and silver light, it might not be supported for quite a bit of time between the time people are using it and the time the technology catches up with to be able to test it. So it's not like you can just say, we have this new technology. We'll just wait until everybody catches up and then we'll check to see whether it's secure. That's not really setting you up for success there. There's also difficult cases where your standard testing tools won't really help you. API is for one. So if you're going through testing your application, you run into an API, you know, you might not even see it, the scanner might not even see it unless it makes some sort of call. There's also sequenced operations as well. So if there's a sequence of steps that need to happen prior to a test case, sometimes standard tools will fall flat on their face. With randomized data, you know, if a page lays out and every single time the page lays out, the data is behind the menu options is randomized. There's pretty much no testing tool out there, standard testing tool that will help you. And that's why you need to write your own tools. So this is an intervention. You know, I see a bunch of people who love you like crazy and they want you to join the fight and not just use app scan and web inspect. Now, this was an inner previous slide, so what we have already posted is the slides for this talk as well as the code snippets that we're using. So we're releasing a few tools and we're releasing some example code that's already available for download. So if you get a chance and you want to play around with that, that's all well and good. Here's kind of an example snapshot of some modern infrastructure. If you look at this infrastructure and how it's laid out, you know, just the front end web page, which, you know, web vulnerability scanners are really good at testing, isn't really the bigger picture. You know, it's only a small percentage of your entire attack surface. So that being the case, you know, if you just ran these standard tools and generated reports, you wouldn't even see any of these other things, these client APIs, service APIs, storage mechanisms on the back. And that's kind of just leading more up to the point that, you know, you're going to have to write your own tools if you want to be successful. So why do we use Python? I think we all know because it's rocks, right? You know, you could quickly write tools, you know, on a whim. That's one of the things, like when you're testing stuff, like the lifetime lifespan or whatever of your tool actually just lasts as long as the app stands up, you know? After that, it's like just a throwaway. Easy to understand. And I kind of like the white space. I guess most of you do, too. That's why you still use it. Otherwise, you'd be back to Pearl. So there's plenty of support out there for Python as well. One thing I will advise against not doing, do not go into the Python room on FreeNode and start lulling. They do not like that. I am perma-band from the Python IRC channel on FreeNode. But I thought it was funny. So you can Google for plenty of examples. There's also a search engine called Knowledge that's a Python source code search engine, which comes in helpful, especially for poorly documented modules. You know, you might find that useful. I think I saw that from a tweet from Dave Eitel. He's like, hey, Knowledge. And I'm like, cool. I guess poorly documented Python code. You don't even want to use any, you know, if you can't read the source, might as well just skip it. So there's plenty of help available. So a few of the big tools out there, I mean, like anyone coming from like network side knows Scapey. I love Scapey. Peach, fuzzing shit. Like that's awesome. From like the reverse engineering side of the house, like you got Ida Python. You got PyDBG. My buddy Rich Smith just released a toolkit yesterday called PyRatik, basically de-opuscating or reversing out obfuscated Python byte code, which is pretty badass. W3af, web scanner you guys probably all familiar with, written in Python as well. So a lot of stuff out there already. And it's kind of like a lot of people in security like to use Python. So those are the big ones. So it kind of gives you an opportunity to not only, to not only, you know, use tools that are already written in Python, but also for extending them as well and contributing back to those projects. So where does Python fit? Python fits in the space between your fully automated testing tools and completely manual testing. So you can have just as much context over what you're testing as manual testing because you're basically writing the clients. You're basically using the tools. You know exactly what data is going to the application and what's coming back. So that's the place it fits. Automating your manual testing cases. There's a couple of different versions of Python. We only highlighted three here that may be of interest to you. C Python is the standard Python implementation that you probably have running on your system. Jython is Python in Java. And Iron Python is Python in .NET. So we'll go into that a little bit later. Other than just having an excuse to put Ron Jeremy in a slide. You have to know, you have to be intimately familiar with your applications before you start testing them. And I realize that sounds kind of strange, but a lot of commercial testing tools are meant to abstract you from being familiar with the application. You can get down and dirty with them, but that's not typically how they're used in the infrastructure. So that's kind of what this slide was about. You guys are probably all familiar with standard library. You keep the docs under your pillow, like, you know, whatever. Some of the third party modules that you might not be aware of, like HTTP lib 2, URL lib 3, LXML, a couple of the others just make testing so much easier when you're writing your own tools. But yeah, we'll go into it. How many people in here have used LXML? It's awesome, right? So we're going to talk about that in a little bit, too. We didn't really know how familiar everybody was going to be with Python. So inside the if you wanted to see some examples of like cookie handling and a couple of other things, you can you can see those inside the code snippets thing that we released. So a little tool I wrote when I was writing monkey fist that released last year is basically a reflector for for requests. So when you're when you're structing your your requests together, you're adding headers and you're making modifications, you might want to know what the web server is going to see. And I wrote this little thing and it's in the code snippets thing as well. It's called reflect request. You just you hit it, you run it and anything you send to it, it's going to send back to you. So any get post put or delete. So when you're building your clients, you can verify without having to set up a separate web server. It just implements the base HTTP request handler class. And handles those requests basically just trace implemented in a couple lines. So whatever. Data representations. So we've kind of moved on from like building a client. You might want to represent that data in a different format. So whether it be URL encoding, hex encoding, Python has everything in Python's an object. So any string object has encoding methods. So you could do things like base 64 hex, even rot 13. And I realized that rot 13 sounds kind of ridiculous to all of us as security people. But as recent as like two months ago, we were looking at an application that was trying to obfuscate paths with rot 13. It's actually ridiculous because you actually get to see like where it's like mapping drives out and stuff. So just because I want I like having a standalone encoder when I'm doing assessments. I wrote this tool called Dharma encoder. And the magic of Dharma encoders in the encoder lib as you would imagine. So if it's open source, you can download it and you can see all the different data representations there. So on the next page is a screenshot. And all you have to do is choose which method you want to encode to. And then you can also wrap it in like script tags. And there's probably bugs in it. So let me know so I can fix them or if there's features that can be added or that you would like, let me know and I'll get those added. So when you're like breaking web apps, like the three most common formats are going to get back in responses like XML, HTML or JSON. One of the things like, what was I going to say? You're going to talk about like beautiful soup. Oh, yeah. So how many people here actually heard of beautiful soup or used beautiful soup? Okay. LXML less than that. But basically if you're parsing like HTML content or XML content, you want to actually use LXML over beautiful soup. The author of beautiful soup just express interest or lack of interest in supporting beautiful soup. LXML is a lot better. It's a lot more fault tolerant. And also, it's a lot better at handling malformed HTML content. So your parser doesn't break as soon as like it's got some mismatched tags or something. So is there anybody in here that thinks that the web isn't broken? Like everything is all well and good in tags? Yeah. Our browsers have become really good at handling malformed HTML. So also the don't use the built in HTML parser either in Python and the standard library because it's not fault tolerant either. So you need to be able to you need to send it cleaned HTML that's able to be parsed first. And the other nice thing about LXML, it's actually written in C, which actually kind of makes it a pain in the ass for like cross platform compatibility. But if you get it working, it's awesome. Basically, it's a lot faster than the Python implementations of XML parsing. And it's fast. It's great. So just an example, just parsing HTML content with LXML. You know, say we want to get all the links from a HTML response, we just iterate over every A tag and get the href attribute from it. Simple as that. One of the nice things or one of the things I find useful parsing XML content is like XML configurations. So you got like a web.xml and you have a bunch of servlet classes and servlet names. When I do code reviews, I parse out these web.xml's and get like a just a list of all the servlet classes and the URL patterns and just kind of map to see what I've reviewed so far and what I've got to review in the future, black box and stuff like that. So this is just an example showing using Xpath expressions to actually get various XML nodes. So very simple. JSON is obviously very, very popular now. So JSON maps pretty much directly to Python types. So I mean a JSON object is a Python dictionary and, you know, JSON array is a Python list. So it makes it really nice. JSON as a Python 2.6 is built into the standard library. This is just in a couple lines of code. We'll go out to Twitter and grab all the current trends and print them out for you. Pretty simple. So when you're, when you're building your test cases, you're building Fuzz cases for testing your web apps, you're going to want to know, be familiar with your application, its parameters and its data. There's, there's certain, certain things that, that you're going to want to make sure you test and then certain things that might not be so important. So look, if you're, if you're fuzzing like an API, you're going to want to make sure that you're sending things in the correct data format. If you're not encoding the data properly, you might have invalid cases to where you never find specific vulnerabilities. And the other thing, like when you're generating Fuzz cases, like WorkSmart, there's various like iter tool methods that make generating the stuff like really simple. And when, when you're actually, you know, throwing stuff at the app, don't throw everything you got at once. You're never going to test, never going to be able to like explore all the code paths if like, you know, every parameter is just junk. So, so yeah, if you have, if you have like some, a string of post data that you're testing, you're going to want to iterate through it one by one by one and not throw every single thing at every single variable every single time. So an example of this is using the product method from the iter tools module. Basically this creates a Cartesian product of two iterables or two lists against each other so that like our output is like just fuzzing one parameter at a time per each like a tax string so that we could efficiently, you know, do our tests. So I'm like losing like the English language. It's not just Python. So bear with me guys. So I created this, this Python module called Pi Web Fuzz and what it does, has anybody ever heard of FuzzDB collection of values for testing? Well today's your lucky day. So that's like a huge dictionary of just like various fuzz strings like thousands of different kind of fuzz strings that you just like use. So those are available inside of Python classes. So if you wanted to pull all the values for doing active SQL injection you could do it into a variable name and then you could iterate over the top of those values so you don't have to go up to separate libraries or read in different files. It started off just being an implementation of FuzzDB but quickly grew into something larger. So I actually took the encoder lib from Dharma encoder and included it there as well because when you're iterating through those values you might want to add an encoding type to them or represent that data differently. It also has requests logic built into it and I haven't pushed the code back but so when you're doing the Cartesian product method that we talked about before it creates a dictionary. Well you can't pass a dictionary value for post data in URL2 so I created a web string method so you just pass the dictionary to the web string and it'll properly encode that for you. So you can do some custom range. We're not going to go into the examples but there is a wiki on the Google code page so I don't know how well it will help you so you might want to send me an email or something. We'll just explore it you know. Sequence operations are a particular pain when you're doing your testing because if the tools you're using don't understand the sequences you know and a lot of tools are starting to support these but they're supporting them via names so pretty much every single tool out there every single commercial tool uses replay so if you can't replay the data you're pretty much screwed so you might have randomized values so if you think of like laying out a web page for a bank and it might have you know home account all these different menu options well if underneath those menu options is a randomized value that changes every single time that's going to throw your tools off but when you're writing your own clients I mean you know how to handle that so you're becoming intimately familiar with the application. There's also things that tools take care of for you that you might not think about such as processing headers processing cookies adding refers and there's also might be there might be content that you just can't parse you're just going to have to resort back to regular expressions for that stuff it's not fun. Then you got two problems right. Has anybody ever heard of Selenium? How many people that have heard of Selenium know that you can write these test cases in Python? Oh you did. Awesome. So Selenium in WebDriver has anybody ever heard of WebDriver? Okay so those projects are merging which is nice because it gives some advantages to doing that. Has anybody ever heard of Windmill? But I figured about as much. It's like Selenium but it's written in Python. So it's kind of nice. I had some frustrations with Windmill so obviously it would be nice to do everything in Python but the frustration just set in and I went back to Selenium. So Selenium has a couple of components. Has the server component the remote control in the IDE. The IDE is nice. It's a Firefox plugin and as you're clicking through the web application it's recording what you're doing and writing out your Python code for you. So at that point all you have to do is take that Python code copy and paste it into your IDE and then start writing your test cases around it. When you fire up Selenium it will go ahead and open the browser and start taking those actions that you programmed in. So I think it's pretty easy to see how you could sequence your operations that way and use the browser. The browser is going to process all the JavaScript and do all the dirty work for you and in the end your goal was to test for you know SQL injection on a form value or test for cross-site scripting or something like that. So we have a nice picture of Tom Selick. So we have a little demo. It's behind it. Obviously it doesn't fit on the screen. So here we have a bank, a bank website and we want to do some testing. So we're going to open up Selenium IDE and we're going to basically choose Python as our format. So as you can see it already sets up and does some imports. Now I'm clicking on different things that you can't see. So there's like a sequence of operations going on and you can see the IDE is filling out. So now we get to a login and it really doesn't matter what we login with basically. So like you guys came here expecting to like get some Python code out of this like we're not even like doing code right now. So as you can see it built basically built a case for us. So if we copy and paste that into our IDE we can then run like a for loop over the top of a sequence and test for certain values. So here we have a single quote, a semi colon and then one equals one. So we fire up the server. That's fine. And then we run our test case which was test fire sequence. And once we do that Selenium will then go ahead and launch the browser for us and take all those actions. As you can see it's running open. And all I did was say get body text instead of get HTML source because it would be easier to read. So we ran a test case we basically threw three values at it. If you look at the return from the first one you can see there's a SQL error message. You see the strings. The second one as you can see it looks like just a standard error message. Now the third one it says I want to view my account summary. So now we know we had a valid case. So we detected the error first with the first one in the second one you can see we exploited the SQL injection. All in a couple lines of code. So we were able to test drive the browser. You know create our sequence and then break into that sequence and do tests. That's pretty simple right? Okay you're supposed to say yes. So one of the things that I like to use I like to use Burp when testing web apps besides being a great proxy there's a lot of other stuff in Burp that makes it really cool. One of the things that like I really like it for is I can record like a proxy log. Basically record into a text file all my requested responses. The thing that web scanners basically everyone like that's building web scanner like spends too much time trying to make it better at spidering. That's too hard for me so like whatever I'll just click through the app and like every single length that I can and submit every post I could. So the thing about getting a good crawl log you know when you're testing you have all this context to you. And that's one of the things that web scanners don't really provide for you when you're testing. You have no idea what it's doing behind the hood. So I like to just work off that. So remote. What I did was basically I wrote this API I call it the GDS Burp API. Basically allows me to parse a Burp proxy log and then every request and response basically gets bundled up into what I call a Burp object. So a Burp object basically looks like this. You have like the request properties, the response properties, the time, the URL, and the parameters that you sent it. Basically everything that Burp recorded to the log. The thing that say like you have an index number here like one two three. Like if you look in your Burp history session like this number one two three would match up with one two three in your history. So like you could easily like go back and forth. But basically you have all this data now available to you in an API that you can now just like call various methods on and get data from or for a built context. What am I saying? It's always nice when the presenter says what am I saying? So like you know I was a black cat and Ben Nagy gave a presentation on fuzzing and like he kind of made the comment that like everyone writes their own fuzzing engine because everybody else's sucks. That's kind of what I think like with web scanners like unless I wrote it or or whatever I have no idea what the web scanners doing. I don't really have time to like dive into the internals of various web app scanners. The other thing is like like I said before I don't have enough context to what a web scanner is doing at a particular time. So they don't do enough actual testing and they do too much cantholding and that's like as testers you know like whatever. That's what you should that's what you're supposed to be doing right. As testers it's up to us to make sure that we properly explored every path. So when we when you have a phone scanner you just sometimes you don't know if it's it's doing all the right things. I mean there was one particular phone scanner who will remain nameless that was encoding all its cross-site scripting data wrong. So as it sent it off as you know in cross-site scripting that could be very bad so there's a bunch of vulnerabilities that never got identified until they fixed it. So basically I have with the API basically it's the way I work. It makes stuff all the all the context in my crawl log available to me in these Python objects. So what can we actually do with the API? Basically you can do comparisons like compare two proxy logs. Say you crawled an application as a user in one session and then you did it again as like an administrator. It's really useful to do a comparison of like the URL's that were requested, the parameters that were submitted. You just do a diff and then like actually replay those request objects as say like that user level for the administrator page and easily see like what worked, what didn't. Comparing responses and content lengths of different requests. You have two users submit a request to the same page but they have different content lengths. Let's like compare them like why. Obviously searching through responses for a particular keywords. And the other nice thing I found is say you have like a sequenced operation like we said earlier you have a login operation or say like some cart checkout sequence that might span like five to six seven requests. Basically we can pull out specific objects from our list and replay them in order out of order and just fuzz stuff along the way. So basically you're creating web scanners, the commercial vendors called macros. So I find it really useful for that. Yeah, you can also do state maintenance as well. So if you're checking for state like let's say you're looking for you're making a request every so often to make sure that you see the word log off on your application. If it notices that the word log off doesn't happen anymore you can run your sequence and re-log back in and maintain state. And that's something that some web scanners have a little bit of a problem with too is falling out of state. So how do you know when the scanner is really falling out of state unless you're looking at a verbose list of messages? So replaying a request is just as simple as like say with HTTP lib2 basically we just pass you know the object to and call various methods on it to get the original data from and basically this is just replaying that verb object as as as it was and in one line of code really and I know there's like three but okay that was funny so how many people here are familiar with deflib and the python standard much library nobody two four five three six seventy nine so basically say say say you got like we're adding or subtracting say say you got like two responses we could compare those responses in like a diff style output and just easily see in the in the response like what was changed down to like the actual care of like per byte level with this with this module so makes for a nice really visual representation of what's changed so we've got a demo I'm just showing a couple things with the API which you that's fine so on the right I just have like an open burp log I'm just importing the GDS burp API I'm gonna import some logging and just do some logging so you actually see what's going on that's good can you guys all see that now damn so basically right here I'm parsing a burp log I'm just calling GDS that burp that parse basically I parsed out all the burp objects let's go down dude and here I'm just printing out the the request properties with P print move down trying to okay max here I'm just calling the get request headers on the second item in my list I get all the headers that I parsed out here you can I just get a single request that are the user agent right now I'm going to do a the fuzz all the requests basically just send it through and each replayed request gets appended to a dot replayed property basically a list and you just call out those request properties headers things like that basically all the stuff that the original burp object had you now have in the replayed ones so right here I'm just going to do a diff of all my replayed requests and responses just output it to a file so the first one basically you can't really see that but basically it's just showing a stripped alert tag again in the response down below here I have on the right side there's a set cookie header being set in the response headers and it's also redirecting to some main bank page so and then the fuzz string that was sent was like or one equals one basically the same fuzz strings that Nathan replayed earlier with Selenium one of the cool things basically just save state basically I just pickle my my burp log to a state file all the replayed requests responses all that data is basically available to me if I choose to reload it later on so I find that really useful so I don't have to do everything between nine and five I could actually do it tomorrow so basically you got all the same stuff that you originally had when you replayed these requests so I know you couldn't see that but it's actually pretty cool that's also available in the zip file so the API is available in the zip file and all the other tools that we were talking about we should post a link to the video so if you want to watch the video we'll upload the videos to YouTube so you can actually when you're thinking about it later maybe you'll watch it so like I said you know a couple cool things is save state load state parsing it takes about like a minute per hundred megabyte file which is I think relatively fast but if you guys find a way to make it faster that's cool I'd love to be faster because I'm all about performance not security spoken like a true developer other times it's nice to have browser objects to play with so who in here knows that you can write to firefox extensions in python awesome nobody well take my word for it and don't verify it that's what we need to do so you can write firefox extensions in in python there's actually an extension called py com pyxb com xx and you use that and it loads up an entire python environment and I did this for a while but my frustration really had me going when you can't really interface with the browser object too well using python like you have to keep resorting to you have to keep resorting to java script and java script is kind of for sadist too so I mean I don't like a language that just chokes and dies and never gives me any indication that it worked or didn't work I mean who thought that one up but so I like to stay away from java script so recently I started switching to do more things in webkit using some of the other gooey frameworks so say for instance you're doing a standalone zool runner object and since we want we're all about context when we're testing we want to be able to make a request with like htplib2 modifier headers do all this get the response back and then render it in the browser object well doing that in zool runner or firefox is a pain it's a nightmare one thing that's I noticed when I first started doing webkit stuff is you could just say you could call the object is a set html so here's an example of using piqt in just a couple lines of code and doing a test for cross-site scripting because cross-site scripting is one of those things that's nice to see a rendered response sometimes it's just easier to see that so we have our url we have our request and then we do the web object set html and then tell it to show on the next page on the next page you can see that once it renders you can see it's very easy to see that that was vulnerable to cross-site scripting obviously cross-site scripting is very browser dependent so sometimes you'll have one in one engine one in the other but for very simple you know universal cross-site scripting vulnerabilities this could be very very useful also you can do other cool things like instantiate an inspector on some content so you'd be able to open it up and and have syntax highlighted examples and web webkit also like pi and piqt is starting to support more have more support for plugins which makes it nice when you're when you're dealing with like silverlight so that's all we had time for but very simple couple lines of code and you've basically rendered a response that you got from it from a different module I think we're like hitting them with a bait and switch with a couple lines of code because everyone knows like couple lines of code equals like several man hours and well you already pointed out that you said here's a single line of code but it's actually three on the page so you kind of gave it away right there and we can't count which is really bad when you're implementing ranges web services are also something else that that scanners have a real problem with regardless of you know what vendor documentation says you know because it's really hard to tell if you're if you're enumerating through a whistel and you see different things that say admin obviously you know you might want to take a better look at that with with python they have the so has anybody ever used suds before a couple people three people the best thing about suds is it's it's it has an object API so everything is you know you create the object and you call its methods it's very nice it's a very very pythonic it uses urlib 2 for opener support so urlib 2 is an extensible library which means that you can create you know new protocols and handlers and install those so as long as it's using urlib 2 that means if you're handling basic off if you need to handle cookies if you need to do all of that it has support for it and it's familiar support because it's urlib 2 so to just read a whistel in a couple lines of code actually this is two so it really is a couple you just basically point it to a url and then print print the client and that prints off the whistel's methods I guess we already have like two findings on this one page like we got published whistel and basic off and use yes so yeah it's two findings already by the time you by the time you get here so the basic off is supported by merely adding a username and password and then to perform functions based on the whistel you just basically call the method so so here here's an example of doing a currency conversion so from right here you basically point it to the whistel you create the client and you get your result and you print your result so here's a real example of of identifying SQL injection in a web service now and this is going against webgoats web service so we're creating our own headers and as you can see here the J session ID is already set in the basic off is already set so we didn't need to use the username password we create a custom transport to add or add to our headers so it's a little more complicated that really needed to be just to kind of show you how it works you create your client and then you iterate over the top of your SQL injection values so here I basically took pi web fuzz and I imported the fuzz db and then I asked for all of the the generic SQL injection values and iterated over the top of them so once you do that there's some win because you can see the certain values that were printed off the other values when it comes back successful those are credit card numbers so you know pretty easy just a couple lines of code just a couple lines of code you guys are all going to go back to work you guys are all going to go back to work saying oh my god you know finding all these phones with this is easy so I do a lot of flex stuff flex basically is a framework for developers to write web applications on flash one of the features of flex is you can encode messages in AMF action message format basically it's just a compact binary stream several tools support AMF there's like burp Charles web scarab unfortunately like the support for AMF is kind of limited you can't really craft messages from scratch with burp or like add properties to a request and I just find like say hi to pie AMF basically I can work now with AMF in Python basically there's several AMF encoders and decoders so you can serialize Python types to AMF so if you have like a daytime object you get sterilized to action script daytime and then when it gets deserialized by like blaze DS which is the remoting server that is deserialized into a Java util that date object so how many people in here have have like assessed a flex app or dealt with something with a flash front end so a few people yeah good luck with a web scanner on those so basically with with pie AMF we can write our clients to you to test stuff there's some remoting gateway support so like for Django or Twisted if you have a web app you can write a web app in Python that serves up content AMF and a flash client will be able to work with it so I don't know how many people have heard of D blaze shout out to my buddy John Rose last year he wrote this tool in Python basically enumerated methods and services and a remoting server but he did it like by brute force one HTTP request at a time the cool thing about AMF all AMF requests are packed inside an AMF and AMF envelope so I thought like shit we're not do this all at once my my htb request is like 200 bytes long but 200,000 bytes long but I just enumerated like 10,000 methods and services all on this one server and one htb request which was just awesome because it only took like a minute to respond so that's one of the cool things you could do when testing flex apps you're probably going to run into cases where when you're sending a value it's not their correct type so you might have some custom object like an employee object in the flash client that's being sent over the wire to the remoting server and just passing a string or a Boolean as it's not going to work so when this happens your proxy is not going to understand the structure of that object it's going to choke when it's going to try to deserialize it so again with just a couple lines of code we can now create an object factory basically a dictionary and register that class with an alias namespace or class alias so that when pi AMF goes to actually encode that Python object to the AMF stream it encodes it as say that employee object and then when the server gets it it deserializes it back to whatever object you're playing with so it's pretty neat yeah it's it's early.net integration how many people here have ever used iron python at all so a few very good so you might not be aware that you can use your python code inside of .net and that provides some very useful advantages for example like being able to import .net DLLs and call functions on them you know so it might be a silverlight object or some some other .net environment you could you also have integration into the .net common language runtime so you can import the CLR so on the next page you could do something like download the zap file and zip it grab the manifest you know right through it and grab all the DLLs so in the bottom is a simple example of importing the common language runtime adding a reference and importing all the functions out of the DLL so pretty simple yeah I know whatever so basically you know when as you're assessing web apps you're going to come across cases where you know your app is actually speaking a binary protocol I know it's it's not it's not heard of before but basically your scanner is going to choke when it's going to try hitting this binary protocol you're probably going to choke like spit your coffee be like damn it why do I get stuck with this app now you guys like spend time reversing this thing but whatever Python has a module called struct has a module in the standard library called struct basically we could convert Python values into native C structures let's take an example binary protocol basically this is kind of similar to what most binary protocols are basically we have like type markers before the types strings are encoded in UTFA proceeded by after the type marker for a string we have the length of the string encoded as like a short a 16 by integer and web apps I don't know nobody knows what a short is but so then then then the value your string so parsing a string basically you know as we run into that type marker I'll say 0x02 we unpack the following value into a into a short which is the H format specifier advanced our position by two bytes and then unpack that string for the necessary length writing a string is basically the opposite write our type marker write the length of our string as a short and write the string so when you put it all together basically as we're iterating over every position in the in the stream you know as you run into these markers basically do the appropriate parsing of that data so when all is said and done you just wrote a simple state machine welcome back to compilers and college and man so basically it's a wild loop iterates over every byte in the buffer and does the necessary action when you run into stuff so that did not come out how I wanted it to you guys get the picture hopefully so that's the end of our talk hope you guys enjoyed it if you if there if you just can't get enough of this stuff we're actually writing a book on this topic so if you just need to do the deep dive it'll be out in the next seven years and like Python 3 1 will probably be used we had like two minutes for questions anybody we'll be hanging out afterwards so one one three advances like thanks