Library for penetration testing, website analysis and requests.
Project description
About WebPT
WebPT is a library for analyzing and crawling websites, the library is designed to be used by Pentesters and developers to make their code easier.
Installation
git clone https://github.com/saharavitan/webpt.git
python -m pip install webpt
Requires Python 3.8+
Dependencies:
WebPT depends on the re, requests, urllib, threading and time python modules.
These dependencies can be installed using the requirements file:
- Installation on Windows:
python -m pip install -r requirements.txt
- Installation on Linux
pip install -r requirements.txt
Vulnerability Functions
- For PoC write webpt.clickjacking(url).poc
| Functions | Description | Params |
|---|---|---|
| all | Check for all vulnerabilities | url |
| clickjacking | Check for ClickJacking | url |
| wordpress | Tests 7 different vulnerabilities for wordpress | url |
| cookie_not_secure | Checks for cookies that are not set as Secure | url |
| xss_protection | Checks for XSS-Protection header | url |
| sri | Checks for SRI vulnerabilities in the code | url |
| htaccess | Check if htaccess file is readable | url |
| comments | Get all comment from source code and check by regex | url, regex |
| ip_disclosure | Checks for internal IP addresses in the source code | url |
| fortinet | Tests 3 different vulnerabilities for Fortinet | url / ip |
| cisco | Tests 2 different vulnerabilities for Cisco | url / ip |
Make Request Attributes
| Attributes | Description |
|---|---|
| request | Create a request |
Find Functions - HTML Analysis
| Functions | Description | Params |
|---|---|---|
| tag | Exports all found objects, some tag must be written in the function | tag |
| attr | Exports the value of the attribute from the tag | Attributes |
| element | Get all Attributes and value to Dictionary | Element<input type="text" id="2" value="example" placeholder="hello"> |
| send_form | Receives all forms and sends them with the option to change values ג€‹ג€‹to parameters | param_name, new_value |
| mails | Get mails from source | Nothing |
Request Analysis Attributes
| Attributes | Description |
|---|---|
| method | Type of method |
| protocol | Type of protocol (GET, POST...) |
| url | Get url |
| data | Returns the data from the request within a dictionary |
| cookies | Returns the data from the cookies within a dictionary |
| headers | Returns the data from the headers within a dictionary |
| params | Returns the data from the params within a dictionary |
| path | The path of the url |
| status_code | The status code of the response |
| response | The content of the response |
| redirect | To which address the server will redirect |
Spider Attributes
- The spider is a tool that is used to automatically discover new resources (URLs) on a particular Site.
| Attributes | Description |
|---|---|
| links | Exports all links found to the list |
| gui | Graphic display of the site |
| js | Exports all JS link to list |
Other Functions
| Functions | Description | Params |
|---|---|---|
| myip | Get your IP | - |
| call_attr | Make your own attributes to dictionary | dictionary |
Examples
Using WebPT as a module in your python scripts
MakeRequest Example
request = webpt.make_request(url, method='POST', data="param1=val1¶m2=val2").request
request = webpt.make_request(url).request
Vuln Example
res = webpt.vuln.clickjacking(url)
- Poc can be exported using the following command:
res = webpt.vuln.wordpress(url)
res = webpt.vuln.all(url)
res = webpt.vuln.comments("https://example.com").find("password")
Subdomain Example
links = webpt.subdomains("example.com")
Spider Example
get_links = webpt.spider("https://example.com").links
print(webpt.spider("https://example.com").gui)
HTML Analysis - Response Analysis Example
src = requests.get(f'https://www.example.co.il/').text
tags = webpt.find(src).tag("form")
for tag in tags:
webpt.send_form(tag.element).change("sadasda", "sahar")
tags = webpt.find(source).tag("a")
for tag in tags:
res = tag.attr("href")
tags = webpt.find(source).tag("a").list
for tag in tags:
webpt.element(tags[0])
mails = webpt.find(source).mails()
PortScanner Example
ports = webpt.scanport(url/ip)
ports = webpt.scanport(url/ip, from, to)
Request Analysis Example
request = """POST /api/scope.php HTTP/1.1
Host: example.com
Connection: close
Content-Length: 69
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://example.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://example.com/
Accept-Encoding: gzip, deflate
Accept-Language: he-IL,he;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: __cfduid=d77a6a7e8c8303932379a959c941da11a1604046519; PHPSESSID=fpehjl7lamt1akovf990bd2gfl
csrf=3dff02bd9e7f4d014ff7218d2f3a80dc&target=https%3A%2F%2Fexample.co.il"""
req = webpt.request_analysis(request)
method = req.method
protocol = req.protocol
url = req.url
data = req.data
headers = req.headers
params = req.params
path = req.path
status_code = req.status_code
response = req.response
redirect = req.redirect
Other Functions
IP = webpt.myip()
full_name = webpt.call_attr({"first": "Sahar", "last": "Avitan"})
print(full_name.first)
print(full_name.last)
Results:
Sahar
Avitan
Author
Version
Current version is 2.0.8
What's new
-
From the new webpt update you can scan subdomains with the highest results (Example code above) -
.subdomains() -
In the new update you can search for vulnerabilities automatically with a webpt. 12 vulnerabilities have been added, more to come soon. (Example code above) -
.vuln -
Forms that exist on the site can be sent with a change of parameter / value. (Example code above) -
.send_form() -
Element can be analyzed according to Attributes and value, Return in Dict. (Example code above) -
.element() -
What's my IP? (Example code above) -
.myip() -
In the new update you can encrypt and decrypt the following types:
md5, sha1, sha256, sha512. To decrypt these hash (md5, sha1, sha256, sha512) you have to perform Brute Force that we wrote specifically. (Example code above) -.hash() -
You can insert a dictionary for a function called
.call_attr(), Once we call the function we can put "." at the end, And add a key in the dictionary. -
Parts of the code have been
repairedandimproved -
License updated to
Apache License -
you will be able to find the full documentation at this link soon : https://web-pt.com
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file Webpt-2.0.8.tar.gz.
File metadata
- Download URL: Webpt-2.0.8.tar.gz
- Upload date:
- Size: 17.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.2.0 pkginfo/1.6.1 requests/2.23.0 setuptools/50.3.2 requests-toolbelt/0.9.1 tqdm/4.51.0 CPython/3.8.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 7506b26a1e04a204e295a1c28a2913d4c6b3f29cb0db101d6f0c74ae4fea6cd7 |
|
| MD5 | b277c4675ad65a0262121801d8a8f258 |
|
| BLAKE2b-256 | d251117d8daaceb9d53921e3bd5d81a37054526c9b5ebf18db2d49461f4638e3 |
File details
Details for the file Webpt-2.0.8-py3-none-any.whl.
File metadata
- Download URL: Webpt-2.0.8-py3-none-any.whl
- Upload date:
- Size: 23.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.2.0 pkginfo/1.6.1 requests/2.23.0 setuptools/50.3.2 requests-toolbelt/0.9.1 tqdm/4.51.0 CPython/3.8.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | caa8e5acd71c6b0bf0e2487649ec4bf1c669f778375b92f9845a926950dc1e5a |
|
| MD5 | 487158868b7bde2b7fbf934fddb17f15 |
|
| BLAKE2b-256 | 4751eecf5c72bf504098fbd10b4ab2894dced6b81410d72e8bb6270e4d0c4fcb |
