Teach on Udemy

Turn what you know into an opportunity and reach millions around the world.

Learn More

Your cart is empty.

Keep shopping

Python: Web Development and Penetration Testing

Name: Python: Web Development and Penetration Testing
Rating: 3.8 (14 reviews)

An all-in-one guide to building secure web apps with Python and Django. Start with basic Python, finish as an expert!

Created byPackt Publishing

Last updated 1/2017

English

What you'll learn

Learn how to build and structure efficient Python web applications
Create and use your own custom middleware for Django web apps
Conduct end-to-end web application penetration testing in a live environment
Build an in-depth understanding of the process behind web pen testing
Stay relevant by laying the groundwork for further penetration testing exposure

Course content

14 sections • 53 lectures • 3h 18m total length

Django Overview1:58
Understanding Class-based Views1:32
In this video, we begin by learning how class-based views work so that you can fully benefit from this powerful, but often poorly understood feature. Generic class-based views provide a lot of functionality. Let's take a look at how you can easily extend them to create your own custom solution. From this lecture, you will learn the following topics:

Extend DetailView with your own data in three lines of code
Go further to add custom context with just a little more code
Reuse or even extend your new custom views
Using Mixins2:09
The built–in, generic class-based views are actually made up of many reusable mixins. Take a look at how you can use the same technique to add your own behaviors into your class-based views. In this lecture, you will cover the following topics:

Understand how DetailView is made from several mixins
Create a new-style Python class with the behavior we want
Include your mixin when creating a custom class-based view
Creating Custom Class-based Views1:07
You don't have to use generic class-based views. If you plan to override much of the built-in behavior or just don't need it, then you can start out with a simpler class, such as view. In this lecture, you will learn the following topics:

Learn how the View class adds the very basic functionality needed for a view
Add methods corresponding to the RESTful verbs, such as get and post
Use the views in the same way that you would use a generic class-based view
Creating a Switchboard View2:56
You can create a single class-based view that can handle all of the operations for a set of data. These are sometimes called switchboard classes, and they can help make your code easier to maintain. In this video, you will learn the following topics:

Start out with a class based on the View object
Python's getattr function can call different methods based on parameters
Create a method for each operation of your switchboard
Test Your Knowledge

What is Middleware?2:28
Code that is used in many views can be moved into middleware, allowing it to operate either before or after your view code is executed. In this lecture, you will learn the following topics:

Process the Request and Process view hooks to run before your view
Make Process Template Response and Process Response run after your view
Get Process Exception running if there is an unhandled exception
Creating your Own Custom Middleware2:45
Middleware classes are not fancy; they simply have one or more methods that correspond to one of the five predefined hooks available. We will cover the following topics in this lecture:

Decide which hooks your middleware should implement
Create a standard- or new-style class
Define a method corresponding to the hooks you want
Middleware to Handle Exceptions1:23
Showing users exceptions is unprofessional and may be a security problem. Let's examine an easier way to create middleware that catches and responds to unhandled exceptions. In this lecture, we will explore the following topics:

Create a class and add it to middleware
Define a process_exception method
Capture and process exceptions before they get to the user
Test Your Knowledge

Creating Template Filters3:18
In this lecture we will explore the possibility of creating custom filters to make frequently used behaviors easily reusable for everyone on our team:

Create a submodule of template tags
Register your filter with the register.filter decorator
Include your custom filter on any template that uses it
Building Custom Template Tags4:22
If you need a functionality that is too sophisticated for a filter, it should be a template tag. These are of several kinds, such as simple_tag for basic functionality and a template inclusion tag to bring in entire templates.

Create a submodule of template tags
Register your template tag with the register.simple_tag decorator
Include your custom tag on any template that uses it

Using Tastypie to Create a REST API3:40
With the growing popularity of Angular.js and similar tools, more applications need to provide a RESTful API. Tastypie is a Python module that does most of the work for us. Let's check it out in this lecture. You will learn the following topics:

Install the Django-tastypie module
Use the Resource or ModelResource modules to autogenerate an API from your data
Activate your URLs to get a basic read-only API
Handling Complex Queries with Our API2:12
Sometimes you want to modify the data before it goes out to the API. Tastypie makes it easy to add or customize the data returned from the API.

Take a look at how the tastypie dehydrates functionality and serializes our data
Customize the dehydrate process to add custom fields
Inspect the data in the API to check whether your changes were made
Adding Authentication and CRUD Support4:56
Not all applications work with a read-only API. Sometimes, you want full CRUD support from your API. You need to add an authentication step before you make this functionality available. Fortunately, Tastypie does all of this for us. In this lecture, we will learn the following topics:

Enable ApiKeyAuthentication and run a migration
Create a key for a user and add an authorization header to your request
Enjoy full support of get, post, patch, and delete

Understanding Generic Relationships2:09
Sometimes, you want to combine data from different models. It's not hard to do this with Python, but generic relationships allow Django to do this for you. In this lecture, you will learn the following topics:

Include the ContentType and GenericForeignKey modules
Define a model that has GenericForeignKey
Ensure that the GenericForeignKey keys are all the same datatype
Data Management using Formsets3:53
Have you wished you could add or edit many records to the database at once? With only a few lines of code, you can add this capability to your application.

Check out formsets that are based on the FormView class
Use modelformset_factory as a form class
Modify form as a list in our template
Learning Advanced Queries with Q()3:15
Django's ORM works fine when your filters are combined using the AND operator. If you want to perform more complicated queries, you should use the Q function, which just gives you more flexibility with your logic.

Understand the use of & or | to combine filter options with AND or OR
Use parentheses to get the proper logical operations
If you need more power, use the raw function and SQL

Low-level Caching3:45
Is your application running slow? You may be performing expensive operations more often than necessary. We can use low-level caching operations to have tight control over our application's performance. In this lecture, you will learn the following topics:

Enable caching using memcached, redis, or your database
Take a look at how cache.get and cache.set allow you to set and retrieve cached data
Use database caching during development and another style in production
Caching with Middleware2:27
Do you have data that is accessed on many views? We already know we can create middleware to reduce duplication, but why not add caching at to middleware to also speed up performance? In this lecture, you will learn the following topics:

Create a middleware that responds to the process_request hook
Use cache.get to check whether your data is cached
Fetch your data and add it to the request
Using the Template Cache2:49
If your cache needs are simpler, you can perform caching at the template level. This can provide a tremendous improvement in performance and is easy to use. In this lecture, you will learn the following topics:

Load the cache template tag in templates that need it
Wrap the cache tags to specify the data to be cached and an expiration
Consider a frontend cache, such as Varnish, to further speed up parts of your site

Exploring Model Managers2:05
Do you frequently perform the same query and filter operation in multiple views? Avoid duplication using model managers. In this lecture, you will learn the following topics:

Models already have a manager called objects
Override objects with your own manager to add custom functionality
Add new methods for each of your frequently used filters
Using a Model Manager to Create New Objects1:14
You may have a similar logic in multiple areas of the site to deal with inserting data. You can create a manager function that accepts your data as a parameter and centralizes your insertion logic. In this lecture, you will learn the following concepts:

Create a method on your manager that accepts your data
Perform the validation according to your rules
Model manager methods can access related fields
Creating manage.py Commands2:56
Do you perform regular maintenance on your application? You can simplify periodic cron tasks by creating custom manage.py commands. In this lecture, you will learn the following topics:

Create a module called management
Create a submodule called commands, which is a manage.py command
Improve the performance of your apps as well as reduce problems caused by code duplication

Understanding the Web Application Penetration Testing Process7:48
In this lecture you will learn about the web app penetration-testing methodology, the toolset, and our lab environment. We will cover the following topics:

Introduce web application penetration testing with the security of the application and methodology in performing such tests
Learn about the tools most commonly used by professional pentesters
Take a look at our lab environment
Typical Web Application Toolkit6:17
You will learn about the traditional tools used by security professionals to perform penetration tests. This will provide a basic understanding of the most important type of tools used, and give us ideas on what we can build with Python. In this lecture you will cover the following concepts:

Introduce HTTP proxies, the most important tool of the set
Learn about Web Crawlers/ Spiders, Scanners, and brute forcers
Explore tools specifics for certain tasks or scenarios
Exploring the Testing Environment6:14
We need to set up the testing environment and we would use VirtualBox, VM, text editor, and the vulnerable Web application we are going to use as target of our tests. In this lecture you will learn the following concepts:

Install VirtualBox to run our Lab VM
Access the testing application
Finally we are going to see the text editor and an important warning

What is Web Application Mapping?3:33
In this lecture, you’ll learn about web application mapping, what it is, and how to do it:

Revisit the penetration testing process
Check out the different options of performing the mapping
Check out a mapping example from Burp suite
Creating a Crawler with Scrapy7:55
We want to create a web application crawler to help us map an application. In this lecture, you will learn the following concepts:

Define the objective
Create a Scrapy project
Run the project and verify the results
Understanding Recursive Crawling3:41
We created a basic crawler, but now, we want to make it recursive to cover all the web application content. In this lecture, you will learn the following concepts:

Create the code to extract all the links
Check whether the links are valid
Run the crawler and check the results
Extracting Information5:22
We need to extract information from the web application that will be useful for our Security testing.

Learn how to extract e-mails
Extract forms
Extract comments
Test Your Knowledge

What is Resource Discovery?4:00
Most applications have resources that are not linked and tools such as crawlers or proxies won’t find. So, we need to discover resources with other methods. In this lecture, we will learn the following concepts:

Explain what resource discovery is and how it complements other tools
Note why it is important to use resource discovery techniques
Explore useful dictionaries that can be used to discover resources
Building Our First Brute Forcer5:24
In order to find more resources that are not linked in a web application, we need to create a brute forcer in order to discover resources using dictionary files.

Define the objective of the brute forcer
Explain the code of the basic brute forcer
Run the brute forcer and check the results
Analyzing the Results5:13
We need to improve the results of the brute forcer in order to facilitate the discovery of interesting resources. Let's do just this!

Add colors by status code
Add the number of characters, words, and lines of responses
Test the script and see the results
Adding More Information3:51
In this video, we will add the detection of redirections and generate more information about the responses, such as the time it takes the response and the MD5 hash of the content. In this lecture, we will cover the following concepts:

Detect the redirections
Add the response time and MD5 hash
Test the script and note the improvements
Taking Screenshots of the Findings4:14
When conducting an analysis of big web applications, having a screenshot of the discovered resources could be very handy. We need to add this capability by taking a screenshot of all the resources that return a 200 status code. In this lecture, we will cover the following topics:

Explain which libraries we will use
Add the imports and the code to take the picture
Test this new feature

Requirements

You should be familiar with Python syntax and data structures
You will need to have a Python development environment ready to go (2.7)
Prior experience with Django will be useful, but not required (1.8)

Description

Do you want to quickly build web applications that are highly scalable and secure by design? Are you keen on using your existing Python skills for web development instead of learning a completely new language?

This carefully structured course combines text, video and assessment content. It focuses on Python, starting out with core coverage of the Django framework. You'll learn how to build web applications from the ground up, in a responsible and scalable way. The latter sections then detail how you can take your web application and run it through a suite of comprehensive tests that prepare it for real-world security threats and exploits.

By taking this course you will not just learn about web development with Python. You'll understand how to build web applications properly, in a manner that lets you test and improve them responsibly to a professional standard.

Why should I choose this course?

We've spent the last decade working to help developers stay relevant. The structure of this course is a result of deep and intensive research into what real-world developers need to know in order to be job-ready. We don't spend too long on theory, and focus on practical results so that you can see for yourself how things work in action.

What details do you cover?

This course makes use of Django, which is one of the world's leading web development frameworks. As it sits within the Python ecosystem, it makes your application development experience extremely easy to approach without compromising on efficiency.

We start off by learning about class-based views, so that you can start building pages that respond to specific requests and URL structures. We’ll then dive into creating custom middleware, which will help us reuse code, resulting in a more complete introductory web application.

Have you ever wanted to build a complete REST API? Our next step is to do just that. Starting out with basic read-only functionality, we'll also add key-based authentication so that we can properly implement a CRUD (Create, Read, Update and Delete) feature set.

The latter part of the course will start with an overview of the web application penetration testing methodology. We also dive into the suite of tools used by real-world professionals so that you can start compiling your very own toolkit.

We don't just cover the background to penetration testing. We'll show you how to intercept HTTP techniques and interact directly with web applications using Python and the requests library. We'll also show you several web crawling techniques, on top of highly sought after SQL injection methods. You'll also lean how to write and develop your own custom tooling and reference scripts to save you time, just like the professionals.

By the time you reach the end, you'll have gone through the entire process of building and validating web applications with Django and Python. We've complied this into one easy reference that reflects the working habits of actual penetration testers to deliver the most accurate learning experience as possible.

We combine the best of the following Packt products:

Mastering Django Web Development by Kevin Veroneau and Matthew Nuzum
Python Web Penetration Testing Cookbook by Cameron Buchanan et al.
Learning Python Web Penetration Testing by Christian Martorella

Testimonials:

The source content have been received well by the audience. Here are a couple of reviews:

"Excellent videos with real case scenarios and code examples. Good explanations (e. g. how to find SQL code injection gaps)."

- Anonymous Customer.

"I loved the books and learnt new skills."

- Jatandar

Meet your expert instructors:

Christian Martorella has been working in security testing for more than 10 years. He is the author of multiple widely used penetration testing tools like Wfuzz, Metagoofil, theHarvester, and Webslayer, all of them included in Backtrack and Kali, and written in Python. He has presented security research in many conferences such as OWASP Summits, OWASP Meeting London and Barcelona, BlackHat Arsenal, Hack.lu, and OSIRA.

Matthew Nuzum has been developing web applications since 1999 and has worked for several start-ups including Canonical, the makers of Ubuntu, as well as several other Fortune 500 companies. He has a passion for helping others learn new technologies and has written numerous tutorials and help documents as well as running a web-focused user group based in his hometown of Des Moines.

Kevin Veroneau is a highly active Python and Django developer who has worked for many start-ups,. He has an active Python blog, and has worked on a magnitude of Python projects over the years.

Cameron Buchanan is a penetration tester by trade and a writer in his spare time. He has performed penetration tests around the world for a variety of clients across many industries. Previously, he was a member of the RAF.

Meet your managing editor:

This course has been planned and designed for you by me, Tanmayee Patil. I'm here to help you be successful every step of the way, and get maximum value out of your course purchase. If you have any questions along the way, you can reach out to me and our author group via the instructor contact feature on Udemy.

Who this course is for:

If you want to build upon your existing Python knowledge and get job-ready, then this is the course for you.
It focuses on two highly sought after specialist areas; web development and penetration testing. By combining coverage like this we’re able to guide you through the entire stack step-by-step, so you build real world exposure in a way that mirrors how the professionals work in the real world.

Python: Web Development and Penetration Testing

What you'll learn

Explore related topics

Course content

Advanced Uses of Class-based Views5 lectures • 10min

Building Custom Middleware3 lectures • 7min

Creating Custom Template Tags and Filters2 lectures • 8min

Building a REST API3 lectures • 11min

Advanced Database Modeling3 lectures • 9min

Learning Caching for Optimum Performance3 lectures • 9min

Management and Maintenance of Your Application3 lectures • 6min

Introduction to the Web Application Penetration Testing3 lectures • 20min

Learning Web Crawling with Scrapy4 lectures • 21min

Exploring Resources Discovery5 lectures • 23min

Requirements

Description

Who this course is for: