misc

misc

Python debugger:
    Stop programs mid execution
    Examine it line by line
    Look at the contents of the variable in the middle of the execution
    Any python script can be set to be debugged

    2 ways to start the debugger:
        import pdb; pdb.set_trace()
        python -m pdb script.py


    Useful keys:
    (Pdb) -> the debugger prompt
    ? -> help
    n -> next
    s -> step into
    r -> return, meaning, finish the current function and return back to the calling function
    l[s,e] -> list src code starting at s and ending at e
    p -> print the value of an expression
    <Enter> -> execute the last command again
    c -> continue the execution of the program


Exercise:
run the follwing command:
python -m pdb rps.py

Try the various switches and inspect the variables while the script is running. 





Http requests library:
A library that can be used to make HTTP/1.1 requests without the need for manual labor.

Why requests?
Earlier libraries were like urlib 2 and later 3

Task to authenticate on github with user credentials:

urllib2 approach:

        import urllib2

        gh_url = 'https://api.github.com'

        req = urllib2.Request(gh_url)

        password_manager = urllib2.HTTPPasswordMgrWithDefaultRealm()
        password_manager.add_password(None, gh_url, 'user', 'pass')

        auth_manager = urllib2.HTTPBasicAuthHandler(password_manager)
        opener = urllib2.build_opener(auth_manager)

        urllib2.install_opener(opener)

        handler = urllib2.urlopen(req)

        print handler.getcode()
        print handler.headers.getheader('content-type')



requests approach:

        import requests

        r = requests.get('https://api.github.com', auth=('user', 'pass'))

        print r.status_code
        print r.headers['content-type']

        # ------
        # 200
        # 'application/json'


Output in for both the above:
# ------
# 200
# 'application/json'



Exercise preparation:
httpbin server - mock HTTP server 
can be used as our playground to test out different ways of making http requests


Exercises:
browse to 
import requests

1. GET requests to get Github's public timeline
r = requests.get('https://github.com/timeline.json')

2. Make an HTTP post request
r = requests.post("http://httpbin.org/post")

3. Similarly the other HTTP request types: PUT, DELETE, HEAD and OPTIONS?
r = requests.put("http://httpbin.org/put")
r = requests.delete("http://httpbin.org/delete")
r = requests.head("http://httpbin.org/get")
r = requests.options("http://httpbin.org/get")

4. GET requests to get Github's public timeline and read the response and find the encoding type of the response
import requests
r = requests.get('https://github.com/timeline.json')
r.text
r.encoding

5. Passing parameters with URLs
payload = {'key1': 'value1', 'key2': 'value2'}
r = requests.get("http://httpbin.org/get", params=payload)
print(r.url)

6. check for bad response codes
bad_r = requests.get('http://httpbin.org/status/404')
bad_r.status_code

7. check for response headers in the above 
bad_r = requests.get('http://httpbin.org/status/404')
bad_r.status_code
r.headers


What is mitmproxy? (https://docs.mitmproxy.org/stable/)

    mitmproxy is a free and open source interactive HTTPS proxy
    
    It can work as : (also known as modes of operation) (screen shot on the desktop)
        Regular (the default)
        Transparent
        Reverse Proxy
        Upstream Proxy
        SOCKS Proxy

    We will be using v 0.13 for our exercises. 
    Latest version has many more enhancements and modularity

exercise:
intercept curl request using mitmproxy
analyze things you have access to


challenge:
Agenda - to learn how to automate the whole of the request resposne. May be useful for various things like fuzzing. 
script to fuzz should be on attacker machine and should be finally given