Mega-bites of code: Python snakes into 1st place for cyber-attacks

Hackers share general public's love of popular programming language

By Thomas Claburn in San Francisco


Python, either the world's most popular programming language or a close runner up, turns out to be the most widely used language for hacking tools.

Security biz Imperva came to this conclusion after looking at GitHub and finding that more than 20 per cent of GitHub repositories for attack tools and proof-of-concept exploits are written in Python.

"In virtually every security-related topic in GitHub, the majority of the repositories are written in Python, including tools such as w3af, Sqlmap, and even the infamous AutoSploit tool," the company explained on Wednesday in a blog post, adding that hackers enjoy Python's advantages – easy to learn, easy to read, comprehensive libraries – just like everyone else.

Python shows up not just in GitHub repos but in incidents as well. Imperva claims that in its security incident data, the largest group of the web clients it can identify (~25 per cent) are based on Python.


Looking at Python usage in attacks against sites under Imperva's protection, the company found that up to 77 per cent were hit by a Python-based tool and that in at least a third of these incidents, the majority of daily attacks could be attributed to Python-written code.

The security biz points to Urllib and Requests as the two most popular Python libraries used by attackers, with asyncio, a relative newcomer, just starting to show signs of adoption. Among the most common attacks involving Python tools, the two most popular in the past two months targeted a PHP-based remote execution flaw in the PHPUnit framework (CVE-2017-9841) and a remote code execution flaw in Joomla (CVE-2015-8562).

Imperva's observations don't offer much insight into whether mitigating Python-based attacks is any different from dealing with other kinds of exploits. But the company does note, "Python requires minimal coding skills, making it easy to write a script and exploit a vulnerability." Presumably, defending against amateurs offers better odds than the alternative.

IBM Fellow Grady Booch told The Register that Imperva's observations seem reasonable. "I’ve not dug into Imperva’s data or methodology, but it seems correct on many levels: Python is popular for it is used most often at the edge of systems where software is far more disposable (and where there is less risk and therefore less discipline, compared to – for example – the infrastructure of a system)," he said.

Thomas Reed, director of Mac and mobile for security biz Malwarebytes, said he tends to agree with Imperva's findings. "We’ve seen some malware for the Mac coded in nothing but Python!" he told us, pointing to EvilOSX, Bella, and Pupy. "Python is pretty popular with the white hats too... it’s my scripting language of choice these days, and is popular with many other Mac security pros and admins. There’s even a way to include Objective-C methods in Python scripts, via pyobjc, for additional power." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Website programming? Pffft, so 2011. Python's main squeeze is now data science, apparently

Popular glue coding language sticks to everything

Visual Studio Code's Python extension goes to Jupyter

A preview of next year's .NET Framework also emitted

A spot of Python in your Azure automation? Step right this way, sir

Python 2 support for runbooks slithers out of preview

Using Python in Visual Studio Code? Microsoft has new toys for you

You will use the new debugger and you will like it, OK?

New Python update slithers into release

Behold, the new, faster version 3.7, with nanosecond timing, data classes and docs in more (human) languages

Microsoft Visual Studio Code replumbed for better Python taming

Python Language Server an option for those that code

Pleasant programming playground paves popular Python path

Shrew'd thinking: Code Shrew helps peeps who want to, or need to, gobble a slice of Py

New Monty Python movie to turn old jokes into new royalties

You silly English k-niggits will probably flock to see Spamalot the musical movie

Hooray: Google App Engine finally ready for Python 3 (and PHP 7.2)

'OG of serverless' gets modern makeover

Python joins movement to dump 'offensive' master, slave terms

Programming language bites its tongue to be more inclusive