Python Security

Open-source Python projects categorized as Security

Top 23 Python Security Projects

  • PayloadsAllTheThings

    A list of useful payloads and bypass for Web Application Security and Pentest/CTF

    Project mention: A Summary of Fuzzing Tools and Dictionaries For Bug Bounty Hunters | dev.to | 2022-11-15

    payload https://github.com/swisskyrepo/PayloadsAllTheThings

  • mitmproxy

    An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

    Project mention: Ask HN: Any good black Friday deals? | news.ycombinator.com | 2022-11-25

    It's really nice. I bought it last year, but don't use it frequently enough and didn't renew it this year. If you're in the same boat https://mitmproxy.org is really helpful and with `mitmweb` offering a web alternative to their TUI it's really convenient.

    If you have ProxyMan you can renew with the discount, too.

  • Scout APM

    Truly a developer’s best friend. Scout APM is great for developers who want to find and fix performance issues in their applications. With Scout, we'll take care of the bugs so you can focus on building great things 🚀.

  • SQLMap

    Automatic SQL injection and database takeover tool

    Project mention: sqlmap | reddit.com/r/HackProtectSlo | 2022-09-26

    Namestitev: git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev Uporaba: python sqlmap.py -h python sqlmap.py -hh

  • CheatSheetSeries

    The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

    Project mention: Rule of Thumb for JWT's? | reddit.com/r/Backend | 2022-11-19

    There is OWASP JWT Cheatsheet that goes into details. Here’s another awesome article on hasura blog for the same.

  • hosts

    🔒 Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.

    Project mention: Windows 10 virtual machine + VPN on host PC enough security for torrenting movies? | reddit.com/r/PrivacyGuides | 2022-11-25

    Also this: https://github.com/StevenBlack/hosts

  • macOS-Security-and-Privacy-Guide

    Guide to securing and improving privacy on macOS

    Project mention: Ask HN: What do you do for online privacy? | news.ycombinator.com | 2022-11-11

    - macos, following https://github.com/drduh/macOS-Security-and-Privacy-Guide for hardening (I haven't compared this to other hardening guides, but doing something is better than nothing)

  • wifiphisher

    The Rogue Access Point Framework

    Project mention: Is there such a thing as a long range wifi adapter? | reddit.com/r/HomeNetworking | 2022-03-25
  • Sonar

    Write Clean Python Code. Always.. Sonar helps you commit clean code every time. With over 225 unique rules to find Python bugs, code smells & vulnerabilities, Sonar finds the issues while you focus on the work.

  • routersploit

    Exploitation Framework for Embedded Devices

    Project mention: Is there a way to gain a router's webpage password and username? | reddit.com/r/hacking | 2022-11-26
  • dirsearch

    Web path scanner

    Project mention: dirsearch - release v0.4.3 - crawling supported | reddit.com/r/netsec | 2022-10-05
  • urh

    Universal Radio Hacker: Investigate Wireless Protocols Like A Boss

    Project mention: Linux: software: auto detect digital modulation type. | reddit.com/r/sdr | 2022-11-15

    Tried tool https://github.com/jopohl/urh and it does not get too much information. I am expecting to find something similar to wireshark - it can detect protocols in traffic and highligh different kind of fields in packet headers.

  • Mailpile

    A free & open modern, fast email client with user-friendly encryption and privacy features

    Project mention: My slow progression towards and away from NextCloud | reddit.com/r/selfhosted | 2022-11-12

    Have a look at mailpile if you are after a web interface; or, the ever-dependable Thunderbird if you are fine with a desktop application.

  • mvt

    MVT (Mobile Verification Toolkit) helps with conducting forensics of mobile devices in order to find signs of a potential compromise.

    Project mention: New Pegasus Spyware Abuses Identified in Mexico | news.ycombinator.com | 2022-10-02

    There is, among others, the MVT project on GitHub. caveat emptor, it comes with apt warnings but the documentation helps.

    https://github.com/mvt-project/mvt

  • scapy

    Scapy: the Python-based interactive packet manipulation program & library. Supports Python 2 & Python 3.

    Project mention: packet-rs - A Scapy like rust packet interface | reddit.com/r/rust | 2022-11-25
  • opensnitch

    OpenSnitch is a GNU/Linux port of the Little Snitch application firewall

    Project mention: How to block website? | reddit.com/r/linuxquestions | 2022-11-26
  • Fail2Ban

    Daemon to ban hosts that cause multiple authentication errors

    Project mention: SSHGuard | news.ycombinator.com | 2022-11-26
  • trape

    People tracker on the Internet: OSINT analysis and research tool by Jose Pino

    Project mention: ILPT Request: how do I track a phone... | reddit.com/r/IllegalLifeProTips | 2022-11-24
  • sigma

    Generic Signature Format for SIEM Systems

    Project mention: How Falcon OverWatch Hunts for Out-of-Band Application Security Testing | reddit.com/r/crowdstrike | 2022-11-04

    If anyone wants to build out their own detections for this kind of activity, this Sigma rule lists the most common domains used for this activity: https://github.com/SigmaHQ/sigma/blob/master/rules/network/dns/net_dns_external_service_interaction_domains.yml

  • pyWhat

    🐸 Identify anything. pyWhat easily lets you identify emails, IP addresses, and more. Feed it a .pcap file or some text and it'll tell you what it is! 🧙‍♀️

    Project mention: Go Library like PyWhat? | reddit.com/r/golang | 2022-10-20

    Is there a library written in Go similar to PyWhat? I want to use a subset of the functionality for a simple go program I'm writing. I could just call PyWhat, link to lemmeknow, or even write a simple go implementation myself, but I wanted to ask if there was a pure go implementation. Thanks!

  • objection

    📱 objection - runtime mobile exploration

    Project mention: Prerequisites for reverse engineering? | reddit.com/r/hacking | 2022-10-11
  • OnionShare

    Securely and anonymously share files, host websites, and chat with friends using the Tor network

    Project mention: Peer-to-Peer Encrypted Messaging | news.ycombinator.com | 2022-11-20

    Briar is one of the most important secure messaging projects currently. Not only does it remove the need to trust the vendor about content (like with all E2EE messaging apps), you also get to keep the metadata about communication to yourself as data transits from one Tor Onion Service to another.

    The downside is of course, you need to keep the endpoint powered on when you want to be reachable so it will increase the battery drain on your phone.

    Note: There's also a desktop client if that's easier to keep online https://briarproject.org/download-briar-desktop/

    One extremely important thing Briar is doing, is it's using the P2P as means to host alternative social interaction formats, like forums and blogs. Similar to Signal/WhatsApp stories (which is somewhat similar to microblogs/FB wall), it's a way to indirectly share information. You could pretty much emulate any social media platform on top of E2EE protocol with ~zero infrastructure cost and without having to worry about data mining. I'd argue what Briar's innovating on here is one of the most important aspects in what's left for secure messaging.

    Finally a small caveat: Briar will share your Bluetooth MAC address with all peers so it can automatically use that when you're in close proximity with your peer. Thus sharing your Briar ID publicly is not a good idea for two reasons:

    1) major global adversaries may have access to that information (e.g. if Google aggregates it) which can deanonymize your account. This also allows slightly technical person to confirm identity of briar account if they suspect it's you (a bit wonky threat model but still).

    2) it ties everything you do across your accounts on same device together, so there's strong linkability even if you rotate the identity key by reinstalling the app.

    Briar is pretty clear about this in it's FAQ, but it's still not very well known although it definitely should be.

    ---

    That being said, if you want similar Onion Service based communication with no such linkability, there's https://cwtch.im/ which is a fantastic project.

    There's also https://www.ricochetrefresh.net/

    Both are spiritual successors to John Brooks' `Ricochet` application.

    You can also chat and share files (among other things) with https://onionshare.org/

    (And finally, you can get remote exfiltration security for keys/plaintexts with TFC https://github.com/maqp/tfc (my personal work), at the cost of losing some features like message forwarding etc that the architecture prevents you from doing.)

  • nuclei-templates

    Community curated list of templates for the nuclei engine to find security vulnerabilities.

    Project mention: Attack simulation tool based on CVE | reddit.com/r/redteamsec | 2022-10-06

    Nmap can run scripts that trigger NIPS, as does Nuclei. https://nmap.org/ & https://github.com/projectdiscovery/nuclei you can look at a list of vuln scanners here. https://owasp.org/www-community/Vulnerability_Scanning_Tools. Nessus would be a common one to look at for Enterprise. Rapid 7, Qualys.

  • ScoutSuite

    Multi-Cloud Security Auditing Tool

    Project mention: Scanning for AWS Security Issues with Trivy | news.ycombinator.com | 2022-08-16
  • clusterfuzz

    Scalable fuzzing infrastructure.

    Project mention: An ex-Googler's guide to dev tools | news.ycombinator.com | 2022-07-17

    Then it is clear that the behavior of this for loop is either not important or not being tested. This could mean that the tests that you do have are not useful and can be deleted.

    > For most non-trivial software the possible state-space is enormous and we generally don't/can't test all of it. So "not testing the (full) behaviour of your application is the default for any test strategy", if we could we wouldn't have bugs... Last I checked most software (including Google's) has plenty of bugs.

    I have also used (setup, fixed findings) using https://google.github.io/clusterfuzz/ which uses coverage + properties to find bugs in the way C++ code handles pointers and other things.

    > The next question would be let's say I spend my time writing the tests to resolve this (could be a lot of work) is that time better spent vs. other things I could be doing? (i.e. what's the ROI)

    That is something that will depend largely on the team and the code you are on. If you are in experimental code that isn't in production, is there value to this? Likely not. If you are writing code that if it fails to parse some data correctly you'll have a huge headache trying to fix it? Likely yes.

    The SRE workbook goes over making these calculations.

    > Even ignoring that is there data to support that the quality of software where mutation testing was added improved measurably (e.g. less bugs files against the deployed product, better uptime, etc?)

    I know that there are studies that show that tests reduce bugs but I do not know of studies that say that higher test coverage reduces bugs.

    The goal of mutation testing isn't to drive up coverage though. It is to find out what cases are not being exercised and evaluating if they will cause a problem. For example mutation testing tools have picked up cases like this:

       if (debug) print("Got here!");

  • Zigi

    Workflow assistant built for devs & their teams. Automate the mundane part of your day, with live actionable messages for your GitHub & Jira tasks.

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020). The latest post mention was on 2022-11-26.

Python Security related posts

Index

What are some of the best open-source Security projects in Python? This list will help you:

Project Stars
1 PayloadsAllTheThings 43,172
2 mitmproxy 29,343
3 SQLMap 25,346
4 CheatSheetSeries 22,261
5 hosts 21,889
6 macOS-Security-and-Privacy-Guide 19,699
7 wifiphisher 11,273
8 routersploit 10,626
9 dirsearch 8,875
10 urh 8,858
11 Mailpile 8,678
12 mvt 8,197
13 scapy 8,166
14 opensnitch 8,018
15 Fail2Ban 7,663
16 trape 7,170
17 sigma 5,778
18 pyWhat 5,562
19 objection 5,465
20 OnionShare 5,411
21 nuclei-templates 5,334
22 ScoutSuite 4,910
23 clusterfuzz 4,880
Build time-series-based applications quickly and at scale.
InfluxDB is the Time Series Data Platform where developers build real-time applications for analytics, IoT and cloud-native services in less time with less code.
www.influxdata.com