Most of the time, when writing exploits, we don’t care much for certificate validation. Especially when we are writing exploits for embedded devices or suchlike that uses self-signed certs. So we will be wanting to disable certificate validation.
When writing actual sensible software that talks to real things, you probably do NOT want to be doing this. By default, requests is sensible and validates certs like your browser does, to avoid programmers shooting themselves in the foot.
Now, almost every single time I go to write an exploit in python, using the requests library, and the target device uses a self-signed cert, I have to go on a google adventure to find out how to disable the stupid warnings that come up when I disable cert validation.
Anyways, I figured I’d outline how to do it here, along with explaining what the heck it all means. So lets go build our footgun.
You basically have to do 2 things, to properly kill the warnings. Firstly, in your request, you have to disable certificate verification. This will stop it from aborting and bailing out every time it gets an invalid cert. We can do this by setting the “verify” argument to false, like so.
import requests url = "https://some-self-signed-thing.local" r = requests.get(url=url, verify=False)
Now, when we run this, the code will run fine, but we get an ugly warning about cert validation being disabled. We would like that to kindly go away. So, we do the following.
import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) url = "https://some-self-signed-thing.local" r = requests.get(url=url, verify=False)
This time, not only does the request succeed, we also don’t get the annoying error message. But why?
So along with importing the “requests” package, we also have to specifically import the “InsecureRequestWarning” object under the “urllib3.exceptions” namespace. urllib3 is one of the underlying packages that “requests” is built on.
We can then specify that this warning be disabled, by calling the “requests.packages.urllib3.disable_warnings” function with that object as an argument, effectively disabling the warning.
So, that is how you can disable cert validation and the annoying warnings that pop up every time you do that, for those times when you just don’t give a shit about certificate validation. Remember though, this is almost always a terrible idea!