Learning Python Web Penetration Testing

Learning Python Web Penetration Testing

by Christian Martorella
Released June 2018
Publisher(s): Packt Publishing
ISBN: 9781789533972

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Leverage the simplicity of Python and available libraries to build web security testing tools for your application

About This Book
  • Understand the web application penetration testing methodology and toolkit using Python
  • Write a web crawler/spider with the Scrapy library
  • Detect and exploit SQL injection vulnerabilities by creating a script all by yourself
Who This Book Is For

Learning Python Web Penetration Testing is for web developers who want to step into the world of web application security testing. Basic knowledge of Python is necessary.

What You Will Learn
  • Interact with a web application using the Python and Requests libraries
  • Create a basic web application crawler and make it recursive
  • Develop a brute force tool to discover and enumerate resources such as files and directories
  • Explore different authentication methods commonly used in web applications
  • Enumerate table names from a database using SQL injection
  • Understand the web application penetration testing methodology and toolkit
In Detail

Web penetration testing is the use of tools and code to attack a website or web app in order to assess its vulnerability to external threats. While there are an increasing number of sophisticated, ready-made tools to scan systems for vulnerabilities, the use of Python allows you to write system-specific scripts, or alter and extend existing testing tools to find, exploit, and record as many security weaknesses as possible. Learning Python Web Penetration Testing will walk you through the web application penetration testing methodology, showing you how to write your own tools with Python for each activity throughout the process. The book begins by emphasizing the importance of knowing how to write your own tools with Python for web application penetration testing. You will then learn to interact with a web application using Python, understand the anatomy of an HTTP request, URL, headers and message body, and later create a script to perform a request, and interpret the response and its headers. As you make your way through the book, you will write a web crawler using Python and the Scrappy library. The book will also help you to develop a tool to perform brute force attacks in different parts of the web application. You will then discover more on detecting and exploiting SQL injection vulnerabilities. By the end of this book, you will have successfully created an HTTP proxy based on the mitmproxy tool.

Style and approach

A easy-to-follow guide that will help you build different web application security testing tools. With each chapter building on the knowledge of the previous section, this book will help you to smartly assess the security needs of your apps.

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. Learning Python Web Penetration Testing
  3. Packt Upsell
    1. Why subscribe?
    2. PacktPub.com
  4. Contributor
    1. About the author
    2. Packt is searching for authors like you
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the example code files
      2. Download the color images
      3. Conventions used
    4. Get in touch
      1. Reviews
  6. Introduction to Web Application Penetration Testing
    1. Understanding the web application penetration testing process
    2. Typical web application toolkit
      1. HTTP Proxy
      2. Crawlers and spiders
      3. Vulnerability scanners
      4. Brute forces/predictable resource locators
      5. Specific task tools
    3. Testing environment
    4. Summary
  7. Interacting with Web Applications
    1. HTTP protocol basics
      1. What is HTTP and how it works?
    2. Anatomy of an HTTP request
      1. HTTP headers
      2. GET request
    3. Interacting with a web app using the requests library
      1. Requests library
      2. Our first script
      3. Setting headers
    4. Analyzing HTTP responses
      1. HTTP codes
    5. Summary
  8. Web Crawling with Scrapy – Mapping the Application
    1. Web application mapping
    2. Creating our own crawler/spider with Scrapy
      1. Starting with Scrapy
    3. Making our crawler recursive
    4. Scraping interesting stuff
    5. Summary
  9. Resources Discovery
    1. What is resource discovery?
    2. Building our first BruteForcer
    3. Analysing the results
    4. Adding more information
      1. Entering the hash of the response content
    5. Taking screenshots of the findings
    6. Summary
  10. Password Testing
    1. How password attacks work
      1. Password cracking
      2. Password policies and account locking
    2. Our first password BruteForcer
      1. Basic authentication
      2. Creating the password cracker
    3. Adding support for digest authentication
      1. What is digest authentication?
      2. Adding digest authentication to our script
    4. Form-based authentication
      1. Form-based authentication overview
    5. Summary
  11. Detecting and Exploiting SQL Injection Vulnerabilities
    1. Introduction to SQL injection
      1. SQLi versus blind SQLi
    2. Detecting SQL injection issues
      1. Methods for detecting SQLi
      2. Automating the detection
    3. Exploiting a SQL injection to extract data
      1. What data can we extract with an SQLi?
      2. Automating basic extractions
    4. Advanced SQLi exploiting
    5. Summary
  12. Intercepting HTTP Requests
    1. HTTP proxy anatomy
      1. What is an HTTP proxy?
      2. Why do we need a proxy?
      3. Types of HTTP proxy
    2. Introduction to mitmproxy
      1. Why mitmproxy?
    3. Manipulating HTTP requests
      1. Inline scripts
    4. Automating SQLi in mitmproxy
      1. SQLi process
    5. Summary
  13. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Learning Python Web Penetration Testing
  • Author(s): Christian Martorella
  • Release date: June 2018
  • Publisher(s): Packt Publishing
  • ISBN: 9781789533972