ThreatList: Hackers Turn to Python as Attack Coding Language of Choice

More than 20 percent of GitHub repositories containing an attack tool or an exploit proof of concept (PoC) are written in Python.

Python was recently touted as on track to become the world’s most prevalent coding language, looking to swallow, as it were, the majority of the market share for developers. According to recent analysis, Python’s popularity also extends to black hats.

Mirroring the findings around its use by coders overall, Python-based tools were used in up to 77 percent of attacks against sites seen in telemetry from Imperva, between the end of June and mid-September. The data also shows that in over a third of the cases, a Python-based tool was responsible for the majority of daily attacks.

“These levels, over time, show that Python-based tools are used for both breadth and depth scanning,” Imperva said in its report, released Thursday.

Meanwhile, a survey of GitHub by the firm found that about more than 20 percent of GitHub repositories containing an attack tool or an exploit proof of concept (PoC) are written in Python.

“In virtually every security-related topic in GitHub, the majority of the repositories are written in Python, including tools such as w3af, Sqlmap and even the infamous AutoSploit tool,” Imperva noted.

Security incidents by client.

In a look at web clients, Imperva researchers reviewed their data, specifically security incidents, and found that more than 25 percent of the clients seen — excluding vulnerability scanners – were Python-based tools used by malicious actors, making it the most common vector for launching exploit attempts.

The two most popular Python modules used for web attacks are Urllib and Python Requests, the research found. Use of a new module, Async IO, is just kicking off.

In addition, Python is used to target specific applications and frameworks like Struts and WordPress.

Frameworks targeted by Python.

“The advantages of Python as a coding language make it a popular tool for implementing known exploits,” Imperva said. It noted the prevalence especially of exploits for the CVE-2017-9841 PHP-based remote code-execution (RCE) vulnerability in the PHPUnit framework, and CVE-2015-8562 RCE flaw in the Joomla! framework.

“Since Python is so widely used by hackers, there is a host of different attack vectors to take into consideration,” Imperva noted. “Python requires minimal coding skills, making it easy to write a script and exploit a vulnerability.”

Suggested articles


  • Thomas! on

    I’m gonna learn how to code with python , because I think that it will be interesting to do!
  • Jacob Doyelle Yates on

    If this is news to you then you must be new to programming and security.
    • Tara Seals on

      Thanks for your comment, Jacob. We thought the stats around this were interesting and timely given that Python has surged of late.
  • Locoluis on

    Lower entry barrier, more power at your disposal that's easier to tap. Comprehensive, well-documented standard library, great availability of ready-to-use modules a pip install and import away, and plenty of code samples. Better tools you can use for evil or good, to create or destroy, to secure your server or to break into it. The problem is not that Python makes life easier for everybody (including attackers). The problem are the existing unpatched vulnerabilities.
  • Arif on

    I have been learning Python lately
  • Arize Victory on

    Old News...of course python
  • pusang halaw on

    the web designer could use an actual python photo instead of what appears to be an emerald tree snake.
  • Tim on


Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.