Make your applications attack-proof by penetration testing with Python
With the huge growth in the number of web applications in the recent times, there has also been an upsurge in the need to make these applications secure. Web penetration testing is the use of tools and code to attack a website or web app in order to assess its vulnerabilities to external threats. While there are an increasing number of sophisticated ready-made tools to scan systems for vulnerabilities, the use of Python allows testers to write system-specific scripts, or alter and extend existing testing tools to find, exploit, and record as many security weaknesses as possible.
This course will walk you through the web application penetration testing methodology, showing you how to write your own tools with Python for every main activity in the process. It will show you how to test for security vulnerabilities in web applications just like security professionals and hackers do.
The course starts off by providing an overview of the web application penetration testing process and the tools used by professionals to perform these tests. Then we provide an introduction to HTTP and how to interact with web applications using Python and the Requests library. Then will follow the web application penetration testing methodology and cover each section with a supporting Python example. To finish off, we test these tools against a vulnerable web application created specifically for this course.
Stop just running automated tools—write your own and modify existing ones to cover your needs! This course will give you a flying start as a security professional by giving you the necessary skills to write custom tools for different scenarios and modify existing Python tools to suit your application’s needs.
What You Will Learn
- Understand the web application penetration testing methodology and toolkit
- Interact with web applications using Python and the Requests library
- Write a web crawler/spider with the Scrapy library
- Create an HTTP bruteforcer based on Requests
- Create a Password bruteforcer for Basic, NTLM, and Forms authentication
- Detect and exploit SQL injections vulnerabilities by creating a script all by yourself
- Intercept and manipulate HTTP communication using Mitmproxy
Table of Contents
01. The Course Overview
02. Understanding Web Application Penetration Testing Process
03. Typical Web Application Toolkit
04. Testing Environment
Interacting with Web Applications
05. HTTP Protocol Basics
06. Anatomy of an HTTP Request
07. Interacting with Web Apps Using Requests Library
08. Analyzing the Responses
Web Crawling with Scrapy
09. Web Application Mapping
10. Creating a Crawler with Scrapy
11. Recursive Crawling
12. Extracting Information
13. What Is Resource Discovery?
14. Building Our First Brute Forcer
15. Analyzing the Results
16. Adding More Information
17. Taking Screenshots of the Findings
18. How Password Attacks Work?
19. Our First Password Brute Forcer
20. Adding Support for Digest Authentication
21. Form-based Authentication
Detecting and Exploiting SQL Injection Vulnerabilities
22. SQL Injection Vulnerability
23. Detecting SQL Injection Issues
24. Exploiting a SQL Injection to Extract Data
25. Advanced SQLi Exploiting
Intercepting HTTP Requests
26. HTTP Proxy Anatomy
27. Introduction to mitmproxy
28. Manipulating HTTP Requests
29. Automating SQLi in mitmproxy
30. Wrapping Up