Learning Python Web Penetration Testing
4.0 (13 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
125 students enrolled
Wishlisted Wishlist

Please confirm that you want to add Learning Python Web Penetration Testing to your Wishlist.

Add to Wishlist

Learning Python Web Penetration Testing

Make your applications attack-proof by penetration testing with Python
4.0 (13 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
125 students enrolled
Created by Packt Publishing
Last updated 5/2016
Current price: $12 Original price: $75 Discount: 84% off
4 days left at this price!
30-Day Money-Back Guarantee
  • 3 hours on-demand video
  • 1 Supplemental Resource
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion

Training 5 or more people?

Get your team access to Udemy's top 2,000 courses anytime, anywhere.

Try Udemy for Business
What Will I Learn?
  • Understand the web application penetration testing methodology and toolkit
  • Interact with web applications using Python and the Requests library
  • Write a web crawler/spider with the Scrapy library
  • Create an HTTP bruteforcer based on Requests
  • Create a Password bruteforcer for Basic, NTLM, and Forms authentication
  • Detect and exploit SQL injections vulnerabilities by creating a script all by yourself
  • Intercept and manipulate HTTP communication using Mitmproxy
View Curriculum
  • Familiarity with Python is essential, but not to an expert level.

With the huge growth in the number of web applications in the recent times, there has also been an upsurge in the need to make these applications secure. Web penetration testing is the use of tools and code to attack a website or web app in order to assess its vulnerabilities to external threats. While there are an increasing number of sophisticated ready-made tools to scan systems for vulnerabilities, the use of Python allows testers to write system-specific scripts, or alter and extend existing testing tools to find, exploit, and record as many security weaknesses as possible.

This course will walk you through the web application penetration testing methodology, showing you how to write your own tools with Python for every main activity in the process. It will show you how to test for security vulnerabilities in web applications just like security professionals and hackers do.

The course starts off by providing an overview of the web application penetration testing process and the tools used by professionals to perform these tests. Then we provide an introduction to HTTP and how to interact with web applications using Python and the Requests library. Then will follow the web application penetration testing methodology and cover each section with a supporting Python example. To finish off, we test these tools against a vulnerable web application created specifically for this course.

Stop just running automated tools—write your own and modify existing ones to cover your needs! This course will give you a flying start as a security professional by giving you the necessary skills to write custom tools for different scenarios and modify existing Python tools to suit your application’s needs.

About The Author

Christian Martorella has been working in the field of Information Security for the last 16 years, and is currently working as Principal Program Manager in the Skype Product Security team at Microsoft. Christian's current focus is on software security and security automation in a Devops world.

Before this, he was the Practice Lead of Threat and Vulnerability for Verizon Business, where he led a team of consultants in delivering security testing services in EMEA for a wide range of industries including Financial Services, Telecommunications, Utilities, and Government.

Christian has been exposed to a wide array of technologies and industries, which has given him the opportunity to work in every possible area of IT security and from both sides of the fence, providing him with a unique set of skills and vision on Cyber Security.

He is the co-founder and an active member of Edge-Security team, who releases security tools and research. Christian has contributed to open source security testing and information gathering tools such as OWASP WebSlayer, Wfuzz, theHarvester, and Metagoofil, all included in Kali, the penetration testing Linux distribution.

Christian presented at Blackhat Arsenal USA, Hack.Lu, What The Hack!, NoConName, FIST Conferences, OWASP Summits, OWASP meetings (Spain, London, Portugal, and Venice), and Open Source Intelligence Conference (OSIRA). In the past, Christian has organized more than 20 FIST Conferences in Barcelona, providing a forum for professionals and amateurs interested in Security Testing. Christian holds a Master's degree in Business Administration from Warwick Business School, and multiple security certifications such as CISSP, CISM, CISA, OPSA, and OPST.

Who is the target audience?
  • If you are a web developer who wants to step into the web application security testing world, this course will provide you with the knowledge you need in no time! If you are penetration tester or want to become one, this course will provide you with a skill set that will give you the edge on the market.
Compare to Other Python Courses
Curriculum For This Course
30 Lectures
4 Lectures 26:22

This video provides an overview of the entire course.

Preview 05:58

You will learn about the web app penetration-testing methodology, the toolset, and our lab environment. 

Understanding Web Application Penetration Testing Process

You will learn about the traditional tools used by security professionals to perform penetration tests. This will provide a basic understanding of the most important type of tools used, and give us ideas on what we can build with Python. 

Typical Web Application Toolkit

We need to set up the testing environment and we would use VirtualBox, VM, text editor, and the vulnerable Web application we are going to use as target of our tests. 

Testing Environment
Interacting with Web Applications
4 Lectures 32:52

This video introduces HTTP, how it works, and the different methods available to communicate with an HTTP server. 

Preview 07:10

You’ll understand the anatomy of an HTTP request in order to make your own tools. 

Anatomy of an HTTP Request

We want to learn how to send HTTP request with Python. 

Interacting with Web Apps Using Requests Library

In this video, we are going to learn about HTTP response codes. 

Analyzing the Responses
Web Crawling with Scrapy
4 Lectures 20:36

You’ll learn about web application mapping, what it is, and how to do it. 

Preview 03:35

We want to create a web application crawler to help us map an application. 

Creating a Crawler with Scrapy

We created a basic crawler, but now, we want to make it recursive to cover all the web application content. 

Recursive Crawling

We need to extract information from the web application that will be useful for our Security testing. 

Extracting Information
Resources Discovery
5 Lectures 22:54

Most applications have resources that are not linked and tools such as crawlers or proxies won’t find. So, we need to discover resources with other methods. 

Preview 04:03

In order to find more resources that are not linked in a web application, we need to create a brute forcer in order to discover resources using dictionary files. 

Building Our First Brute Forcer

We need to improve the results of the brute forcer in order to facilitate the discovery of interesting resources. Let's do just this! 

Analyzing the Results

In this video, we will add the detection of redirections and generate more information about the responses, such as the time it takes the response and the MD5 hash of the content. 

Adding More Information

When conducting an analysis of big web applications, having a screenshot of the discovered resources could be very handy. We need to add this capability by taking a screenshot of all the resources that return a 200 status code. 

Taking Screenshots of the Findings
Password Testing
4 Lectures 21:27

The most important security control in a web application is the authentication. Let’s learn password testing and the different approaches. 

Preview 04:58

We want to create a brute forcer for Basic authentication in order to detect the valid passwords for a given user. 

Our First Password Brute Forcer

Some applications use an authentication method called Digest authentication, which is stronger and more secure than Basic authentication. We want to add support to this method to our script. 

Adding Support for Digest Authentication

You learned how to test Basic- and Digest-based authentication, but most of the web application use Form-based authentication, which is the famous login form. In this video, you will learn how we can brute force these forms. 

Form-based Authentication
Detecting and Exploiting SQL Injection Vulnerabilities
4 Lectures 22:55

SQL injection vulnerabilities are one of the most dangerous issues that can affect a Web application. In this section, you will learn what it is, how it works, and see the difference between SQLi and Blind SQLi. 

Preview 04:51

SQL injection is one of the most dangerous vulnerabilities in a web application. In this video, you will learn what the methods available for detecting it are, and then we will automate the process in Python. 

Detecting SQL Injection Issues

This video will focus on what an attacker can do after they find a valid SQLi. We will review the options and automate some of them in our script. 

Exploiting a SQL Injection to Extract Data

When exploiting SQLi, one the most important parts is to identify the names of the tables in the DB in order to find interesting data. Another important option is reading OS files as we can obtain more passwords and get the source code of the app to find other vulnerabilities. 

Advanced SQLi Exploiting
Intercepting HTTP Requests
5 Lectures 23:27

Being the proxy is one of the most useful tools in web app security testing. You will learn how it works, why they are used, and finally, the different types of HTTP proxies available. 

Preview 04:08

In this video, we will introduce mitmproxy and explain why it was chosen to learn about HTTP proxy in Python. 

Introduction to mitmproxy

The main functionality of an HTTP proxy is to intercept and manipulate traffic. In this video, we will note how to do this in mitmproxy. 

Manipulating HTTP Requests

In the previous video, we saw how mitmproxy works and how to manipulate the HTTP communication. Now, let’s take a look at how can we put together what we discussed before about SQLi in order to scan for SQLi issues while we browse. 

Automating SQLi in mitmproxy

In this video, we’ll look at wrapping up the course. 

Wrapping Up
About the Instructor
Packt Publishing
3.9 Average rating
8,274 Reviews
59,158 Students
687 Courses
Tech Knowledge in Motion

Packt has been committed to developer learning since 2004. A lot has changed in software since then - but Packt has remained responsive to these changes, continuing to look forward at the trends and tools defining the way we work and live. And how to put them to work.

With an extensive library of content - more than 4000 books and video courses -Packt's mission is to help developers stay relevant in a rapidly changing world. From new web frameworks and programming languages, to cutting edge data analytics, and DevOps, Packt takes software professionals in every field to what's important to them now.

From skills that will help you to develop and future proof your career to immediate solutions to every day tech challenges, Packt is a go-to resource to make you a better, smarter developer.

Packt Udemy courses continue this tradition, bringing you comprehensive yet concise video courses straight from the experts.