An HTML-form authentication testing tool written in Python. It simulates authentication attacks against HTML-form authentication, and only intended for educational use in controlled environments. The project was inspired from Black Hat Python by Justin Seitz (2014).
-
Supports HTTP and HTTPS
-
Handles CSRF tokens:
- CSRF tokens in cookies.
- CSRF tokens in hidden input field.
-
Highly customizable. The user can:
-
Set custom headers.
-
Provide custom parameters.
-
Provide custom Cookies.
-
-
Allows for data dumping.
-
Uses a password list for testing.
Spwder is used to test security of authentication in terms of:
- Rate limiting (important against automated login attempts).
- Session handling (CSRF).
The simulated activity of Spwder maps to ATT&CK tactic
Arguments:
url (required) - URL to Login page (do not include http://)
-pl (optional) - Path to file containing custom passwords (minimum of 20 passwords)
-cf (optional) - Use custom cookie from file
-cc (optional) - Use custom cookie
-https (optional) - Use HTTPs (uses HTTP by defualt)
-p (optional) - Provide parameters from file (you should provide username/email with it) >May cause errors
-hd (optional) - Use custom headers from file
-dump (optional) - Show dumped data
Examples:
Basic: spwder.py url=facebook.com/login
-pl=C:\Users\you\Desktop\mypasswords.txt
-cf=C:\Users\you\Desktop\mycookie.txt
-cc=Mycookie124
-https=1 (this enables https)
-p=C:\Users\you\Desktop\paramss.tx
-hd=C:\Users\you\Desktop\myheaders.txt
myheaders.txt should look like this:
header
value
example:
User-Agent
Mozilla/5.0
-dump=1 (it takes either 1 or 2, 1 for first response from target, 2 for response from target that indicated a possible correct password)
Important: When trying to bruteforce do not use -dump , only use it after a bruteforce is done. Also use url=x with it to avoid errors. (spwder.py url=whatever -dump=2)
Make sure pwds.txt is in the working directory of spwder.py alongside dump1.txt and dump2.txt
- Initially, spwder was supposed to count passwords and make threads to test them based on the number of passwords. However, this seemed to trigger HTTP 429 (Too many requests) error. So, and for simplicity, only one thread does the testing now.
- Spwder v2 can handle CSRF cookies (in Set-Cookie headers) and CSRF tokens (in input tags, type="hidden").
- The original code was not organized well. The new code is clean and easy to handle.
- Spwder v2 was successfully tested using a basic Django website.
- Relatively slow due to having one thread only.
- Cannot handle CAPTCHA.
Given the lack of available tutorials and examples for achieving certain tasks with urllib, it took a lot of time and effort to properly implement some features. Possibly, an improved version of Spwder will be written with requests library instead.