Python: Web Development and Penetration Testing
4.0 (2 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
114 students enrolled
Wishlisted Wishlist

Please confirm that you want to add Python: Web Development and Penetration Testing to your Wishlist.

Add to Wishlist

Python: Web Development and Penetration Testing

An all-in-one guide to building secure web apps with Python and Django. Start with basic Python, finish as an expert!
4.0 (2 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
114 students enrolled
Created by Packt Publishing
Last updated 1/2017
Current price: $10 Original price: $200 Discount: 95% off
5 hours left at this price!
30-Day Money-Back Guarantee
  • 3 hours on-demand video
  • 6 Articles
  • 15 Supplemental Resources
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
What Will I Learn?
  • Learn how to build and structure efficient Python web applications
  • Create and use your own custom middleware for Django web apps
  • Conduct end-to-end web application penetration testing in a live environment
  • Build an in-depth understanding of the process behind web pen testing
  • Stay relevant by laying the groundwork for further penetration testing exposure
View Curriculum
  • You should be familiar with Python syntax and data structures
  • You will need to have a Python development environment ready to go (2.7)
  • Prior experience with Django will be useful, but not required (1.8)

Do you want to quickly build web applications that are highly scalable and secure by design? Are you keen on using your existing Python skills for web development instead of learning a completely new language?

This carefully structured course combines text, video and assessment content. It focuses on Python, starting out with core coverage of the Django framework. You'll learn how to build web applications from the ground up, in a responsible and scalable way. The latter sections then detail how you can take your web application and run it through a suite of comprehensive tests that prepare it for real-world security threats and exploits.

By taking this course you will not just learn about web development with Python. You'll understand how to build web applications properly, in a manner that lets you test and improve them responsibly to a professional standard.

Why should I choose this course?

We've spent the last decade working to help developers stay relevant. The structure of this course is a result of deep and intensive research into what real-world developers need to know in order to be job-ready. We don't spend too long on theory, and focus on practical results so that you can see for yourself how things work in action.

What details do you cover?

This course makes use of Django, which is one of the world's leading web development frameworks. As it sits within the Python ecosystem, it makes your application development experience extremely easy to approach without compromising on efficiency.

We start off by learning about class-based views, so that you can start building pages that respond to specific requests and URL structures. We’ll then dive into creating custom middleware, which will help us reuse code, resulting in a more complete introductory web application.

Have you ever wanted to build a complete REST API? Our next step is to do just that. Starting out with basic read-only functionality, we'll also add key-based authentication so that we can properly implement a CRUD (Create, Read, Update and Delete) feature set.

The latter part of the course will start with an overview of the web application penetration testing methodology. We also dive into the suite of tools used by real-world professionals so that you can start compiling your very own toolkit.

We don't just cover the background to penetration testing. We'll show you how to intercept HTTP techniques and interact  directly with web applications using Python and the requests library. We'll also show you several web crawling techniques, on top of highly sought after SQL injection methods. You'll also lean how to write and develop your own custom tooling and reference scripts to save you time, just like the professionals.

By the time you reach the end, you'll have gone through the entire process of building and validating web applications with Django and Python. We've complied this into one easy reference that reflects the working habits of actual penetration testers to deliver the most accurate learning experience as possible.

We combine the best of the following Packt products:

  • Mastering Django Web Development by Kevin Veroneau and Matthew Nuzum
  • Python Web Penetration Testing Cookbook by Cameron Buchanan et al.
  • Learning Python Web Penetration Testing by Christian Martorella


The source content have been received well by the audience. Here are a couple of reviews:

"Excellent videos with real case scenarios and code examples. Good explanations (e. g. how to find SQL code injection gaps)."

- Anonymous Customer.

"I loved the books and learnt new skills."

- Jatandar

Meet your expert instructors:

Christian Martorella has been working in security testing for more than 10 years. He is the author of multiple widely used penetration testing tools like Wfuzz, Metagoofil, theHarvester, and Webslayer, all of them included in Backtrack and Kali, and written in Python. He has presented security research in many conferences such as OWASP Summits, OWASP Meeting London and Barcelona, BlackHat Arsenal,, and OSIRA.

Matthew Nuzum has been developing web applications since 1999 and has worked for several start-ups including Canonical, the makers of Ubuntu, as well as several other Fortune 500 companies. He has a passion for helping others learn new technologies and has written numerous tutorials and help documents as well as running a web-focused user group based in his hometown of Des Moines.

Kevin Veroneau is a highly active Python and Django developer who has worked for many start-ups,. He has an active Python blog, and has worked on a magnitude of Python projects over the years.

Cameron Buchanan is a penetration tester by trade and a writer in his spare time. He has performed penetration tests around the world for a variety of clients across many industries. Previously, he was a member of the RAF.

Meet your managing editor:

This course has been planned and designed for you by me, Tanmayee Patil. I'm here to help you be successful every step of the way, and get maximum value out of your course purchase. If you have any questions along the way, you can reach out to me and our author group via the instructor contact feature on Udemy.

Who is the target audience?
  • If you want to build upon your existing Python knowledge and get job-ready, then this is the course for you.
  • It focuses on two highly sought after specialist areas; web development and penetration testing. By combining coverage like this we’re able to guide you through the entire stack step-by-step, so you build real world exposure in a way that mirrors how the professionals work in the real world.
Compare to Other Python Courses
Curriculum For This Course
53 Lectures
Advanced Uses of Class-based Views
5 Lectures 09:42

In this video, we begin by learning how class-based views work so that you can fully benefit from this powerful, but often poorly understood feature. Generic class-based views provide a lot of functionality. Let's take a look at how you can easily extend them to create your own custom solution. From this lecture, you will learn the following topics:

  • Extend DetailView with your own data in three lines of code
  • Go further to add custom context with just a little more code
  • Reuse or even extend your new custom views

Understanding Class-based Views

The built–in, generic class-based views are actually made up of many reusable mixins. Take a look at how you can use the same technique to add your own behaviors into your class-based views. In this lecture, you will cover the following topics:

  • Understand how DetailView is made from several mixins
  • Create a new-style Python class with the behavior we want
  • Include your mixin when creating a custom class-based view
Using Mixins

You don't have to use generic class-based views. If you plan to override much of the built-in behavior or just don't need it, then you can start out with a simpler class, such as view. In this lecture, you will learn the following topics:

  • Learn how the View class adds the very basic functionality needed for a view
  • Add methods corresponding to the RESTful verbs, such as get and post
  • Use the views in the same way that you would use a generic class-based view 

Creating Custom Class-based Views

You can create a single class-based view that can handle all of the operations for a set of data. These are sometimes called switchboard classes, and they can help make your code easier to maintain. In this video, you will learn the following topics:

  • Start out with a class based on the View object
  • Python's getattr function can call different methods based on parameters
  • Create a method for each operation of your switchboard 
Creating a Switchboard View

Test Your Knowledge
2 questions
Building Custom Middleware
3 Lectures 06:36

Code that is used in many views can be moved into middleware, allowing it to operate either before or after your view code is executed. In this lecture, you will learn the following topics:

  • Process the Request and Process view hooks to run before your view
  • Make Process Template Response and Process Response run after your view
  • Get Process Exception running if there is an unhandled exception 
What is Middleware?

Middleware classes are not fancy; they simply have one or more methods that correspond to one of the five predefined hooks available. We will cover the following topics in this lecture:

  • Decide which hooks your middleware should implement
  • Create a standard- or new-style class
  • Define a method corresponding to the hooks you want 
Creating your Own Custom Middleware

Showing users exceptions is unprofessional and may be a security problem. Let's examine an easier way to create middleware that catches and responds to unhandled exceptions. In this lecture, we will explore the following topics:

  • Create a class and add it to middleware
  • Define a process_exception method
  • Capture and process exceptions before they get to the user 
Middleware to Handle Exceptions

Test Your Knowledge
2 questions
Creating Custom Template Tags and Filters
2 Lectures 07:40

In this lecture we will explore the possibility of creating custom filters to make frequently used behaviors easily reusable for everyone on our team:

  • Create a submodule of template tags
  • Register your filter with the register.filter decorator
  • Include your custom filter on any template that uses it
Creating Template Filters

If you need a functionality that is too sophisticated for a filter, it should be a template tag. These are of several kinds, such as simple_tag for basic functionality and a template inclusion tag to bring in entire templates.

  • Create a submodule of template tags
  • Register your template tag with the register.simple_tag decorator
  • Include your custom tag on any template that uses it
Building Custom Template Tags
Building a REST API
3 Lectures 10:48

With the growing popularity of Angular.js and similar tools, more applications need to provide a RESTful API. Tastypie is a Python module that does most of the work for us. Let's check it out in this lecture. You will learn the following topics:

  • Install the Django-tastypie module
  • Use the Resource or ModelResource modules to autogenerate an API from your data
  • Activate your URLs to get a basic read-only API 
Using Tastypie to Create a REST API

Sometimes you want to modify the data before it goes out to the API. Tastypie makes it easy to add or customize the data returned from the API.

  • Take a look at how the tastypie dehydrates functionality and serializes our data
  • Customize the dehydrate process to add custom fields
  • Inspect the data in the API to check whether your changes were made 
Handling Complex Queries with Our API

Not all applications work with a read-only API. Sometimes, you want full CRUD support from your API. You need to add an authentication step before you make this functionality available. Fortunately, Tastypie does all of this for us. In this lecture, we will learn the following topics:

  • Enable ApiKeyAuthentication and run a migration
  • Create a key for a user and add an authorization header to your request
  • Enjoy full support of get, post, patch, and delete 
Adding Authentication and CRUD Support
Advanced Database Modeling
3 Lectures 09:17

Sometimes, you want to combine data from different models. It's not hard to do this with Python, but generic relationships allow Django to do this for you. In this lecture, you will learn the following topics:

  • Include the ContentType and GenericForeignKey modules
  • Define a model that has GenericForeignKey
  • Ensure that the GenericForeignKey keys are all the same datatype 
Understanding Generic Relationships

Have you wished you could add or edit many records to the database at once? With only a few lines of code, you can add this capability to your application.

  • Check out formsets that are based on the FormView class
  • Use modelformset_factory as a form class
  • Modify form as a list in our template 
Data Management using Formsets

Django's ORM works fine when your filters are combined using the AND operator. If you want to perform more complicated queries, you should use the Q function, which just gives you more flexibility with your logic.

  • Understand the use of & or | to combine filter options with AND or OR
  • Use parentheses to get the proper logical operations
  • If you need more power, use the raw function and SQL 
Learning Advanced Queries with Q()
Learning Caching for Optimum Performance
3 Lectures 09:01

Is your application running slow? You may be performing expensive operations more often than necessary. We can use low-level caching operations to have tight control over our application's performance. In this lecture, you will learn the following topics:

  • Enable caching using memcached, redis, or your database
  • Take a look at how cache.get and cache.set allow you to set and retrieve cached data
  • Use database caching during development and another style in production 
Low-level Caching

Do you have data that is accessed on many views? We already know we can create middleware to reduce duplication, but why not add caching at to middleware to also speed up performance? In this lecture, you will learn the following topics:

  • Create a middleware that responds to the process_request hook
  • Use cache.get to check whether your data is cached
  • Fetch your data and add it to the request 
Caching with Middleware

If your cache needs are simpler, you can perform caching at the template level. This can provide a tremendous improvement in performance and is easy to use. In this lecture, you will learn the following topics: 

  • Load the cache template tag in templates that need it
  • Wrap the cache tags to specify the data to be cached and an expiration
  • Consider a frontend cache, such as Varnish, to further speed up parts of your site 
Using the Template Cache
Management and Maintenance of Your Application
3 Lectures 06:15

Do you frequently perform the same query and filter operation in multiple views? Avoid duplication using model managers. In this lecture, you will learn the following topics:

  • Models already have a manager called objects
  • Override objects with your own manager to add custom functionality
  • Add new methods for each of your frequently used filters 
Exploring Model Managers

You may have a similar logic in multiple areas of the site to deal with inserting data. You can create a manager function that accepts your data as a parameter and centralizes your insertion logic. In this lecture, you will learn the following concepts:

  • Create a method on your manager that accepts your data
  • Perform the validation according to your rules
  • Model manager methods can access related fields 
Using a Model Manager to Create New Objects

Do you perform regular maintenance on your application? You can simplify periodic cron tasks by creating custom commands. In this lecture, you will learn the following topics:

  • Create a module called management
  • Create a submodule called commands, which is a command
  • Improve the performance of your apps as well as reduce problems caused by code duplication 
Creating Commands
Introduction to the Web Application Penetration Testing
3 Lectures 20:19

In this lecture you will learn about the web app penetration-testing methodology, the toolset, and our lab environment. We will cover the following topics:

  • Introduce web application penetration testing with the security of the application and methodology in performing such tests
  • Learn about the tools most commonly used by professional pentesters
  • Take a look at our lab environment 
Preview 07:48

You will learn about the traditional tools used by security professionals to perform penetration tests. This will provide a basic understanding of the most important type of tools used, and give us ideas on what we can build with Python. In this lecture you will cover the following concepts:

  • Introduce HTTP proxies, the most important tool of the set
  • Learn about Web Crawlers/ Spiders, Scanners, and brute forcers
  • Explore tools specifics for certain tasks or scenarios 
Typical Web Application Toolkit

We need to set up the testing environment and we would use VirtualBox, VM, text editor, and the vulnerable Web application we are going to use as target of our tests. In this lecture you will learn the following concepts:

  • Install VirtualBox to run our Lab VM
  • Access the testing application
  • Finally we are going to see the text editor and an important warning 
Exploring the Testing Environment
Learning Web Crawling with Scrapy
4 Lectures 20:31

In this lecture, you’ll learn about web application mapping, what it is, and how to do it:

  • Revisit the penetration testing process
  • Check out the different options of performing the mapping
  • Check out a mapping example from Burp suite 
What is Web Application Mapping?

We want to create a web application crawler to help us map an application. In this lecture, you will learn the following concepts:

  • Define the objective
  • Create a Scrapy project
  • Run the project and verify the results 
Creating a Crawler with Scrapy

We created a basic crawler, but now, we want to make it recursive to cover all the web application content. In this lecture, you will learn the following concepts:

  • Create the code to extract all the links
  • Check whether the links are valid
  • Run the crawler and check the results 
Understanding Recursive Crawling

We need to extract information from the web application that will be useful for our Security testing.

  • Learn how to extract e-mails
  • Extract forms
  • Extract comments 
Extracting Information

Test Your Knowledge
1 question
Exploring Resources Discovery
5 Lectures 22:42

Most applications have resources that are not linked and tools such as crawlers or proxies won’t find. So, we need to discover resources with other methods. In this lecture, we will learn the following concepts:

  • Explain what resource discovery is and how it complements other tools
  • Note why it is important to use resource discovery techniques
  • Explore useful dictionaries that can be used to discover resources 
What is Resource Discovery?

In order to find more resources that are not linked in a web application, we need to create a brute forcer in order to discover resources using dictionary files.

  • Define the objective of the brute forcer
  • Explain the code of the basic brute forcer
  • Run the brute forcer and check the results
Building Our First Brute Forcer

We need to improve the results of the brute forcer in order to facilitate the discovery of interesting resources. Let's do just this!

  • Add colors by status code
  • Add the number of characters, words, and lines of responses
  • Test the script and see the results 
Analyzing the Results

In this video, we will add the detection of redirections and generate more information about the responses, such as the time it takes the response and the MD5 hash of the content. In this lecture, we will cover the following concepts:

  • Detect the redirections
  • Add the response time and MD5 hash
  • Test the script and note the improvements 
Adding More Information

When conducting an analysis of big web applications, having a screenshot of the discovered resources could be very handy. We need to add this capability by taking a screenshot of all the resources that return a 200 status code. In this lecture, we will cover the following topics:

  • Explain which libraries we will use
  • Add the imports and the code to take the picture
  • Test this new feature 
Taking Screenshots of the Findings
4 More Sections
About the Instructor
Packt Publishing
3.9 Average rating
8,229 Reviews
59,023 Students
687 Courses
Tech Knowledge in Motion

Packt has been committed to developer learning since 2004. A lot has changed in software since then - but Packt has remained responsive to these changes, continuing to look forward at the trends and tools defining the way we work and live. And how to put them to work.

With an extensive library of content - more than 4000 books and video courses -Packt's mission is to help developers stay relevant in a rapidly changing world. From new web frameworks and programming languages, to cutting edge data analytics, and DevOps, Packt takes software professionals in every field to what's important to them now.

From skills that will help you to develop and future proof your career to immediate solutions to every day tech challenges, Packt is a go-to resource to make you a better, smarter developer.

Packt Udemy courses continue this tradition, bringing you comprehensive yet concise video courses straight from the experts.