Python Web Penetration Testing Cookbook

Over 60 indispensable Python recipes to ensure you always have the right code on hand for web application testing

Python Web Penetration Testing Cookbook

This ebook is included in a Mapt subscription
Cameron Buchanan et al.

1 customer reviews
Over 60 indispensable Python recipes to ensure you always have the right code on hand for web application testing
$10.00
$44.99
RRP $35.99
RRP $44.99
eBook
Print + eBook
Preview in Mapt

Book Details

ISBN 139781784392932
Paperback224 pages

Book Description

This book gives you an arsenal of Python scripts perfect to use or to customize your needs for each stage of the testing process. Each chapter takes you step by step through the methods of designing and modifying scripts to attack web apps. You will learn how to collect both open and hidden information from websites to further your attacks, identify vulnerabilities, perform SQL Injections, exploit cookies, and enumerate poorly configured systems. You will also discover how to crack encryption, create payloads to mimic malware, and create tools to output your findings into presentable formats for reporting to your employers.

Table of Contents

Chapter 1: Gathering Open Source Intelligence
Introduction
Gathering information using the Shodan API
Scripting a Google+ API search
Downloading profile pictures using the Google+ API
Harvesting additional results from the Google+ API using pagination
Getting screenshots of websites with QtWebKit
Screenshots based on a port list
Spidering websites
Chapter 2: Enumeration
Introduction
Performing a ping sweep with Scapy
Scanning with Scapy
Checking username validity
Brute forcing usernames
Enumerating files
Brute forcing passwords
Generating e-mail addresses from names
Finding e-mail addresses from web pages
Finding comments in source code
Chapter 3: Vulnerability Identification
Introduction
Automated URL-based Directory Traversal
Automated URL-based Cross-site scripting
Automated parameter-based Cross-site scripting
Automated fuzzing
jQuery checking
Header-based Cross-site scripting
Shellshock checking
Chapter 4: SQL Injection
Introduction
Checking jitter
Identifying URL-based SQLi
Exploiting Boolean SQLi
Exploiting Blind SQL Injection
Encoding payloads
Chapter 5: Web Header Manipulation
Introduction
Testing HTTP methods
Fingerprinting servers through HTTP headers
Testing for insecure headers
Brute forcing login through the Authorization header
Testing for clickjacking vulnerabilities
Identifying alternative sites by spoofing user agents
Testing for insecure cookie flags
Session fixation through a cookie injection
Chapter 6: Image Analysis and Manipulation
Introduction
Hiding a message using LSB steganography
Extracting messages hidden in LSB
Hiding text in images
Extracting text from images
Enabling command and control using steganography
Chapter 7: Encryption and Encoding
Introduction
Generating an MD5 hash
Generating an SHA 1/128/256 hash
Implementing SHA and MD5 hashes together
Implementing SHA in a real-world scenario
Generating a Bcrypt hash
Cracking an MD5 hash
Encoding with Base64
Encoding with ROT13
Cracking a substitution cipher
Cracking the Atbash cipher
Attacking one-time pad reuse
Predicting a linear congruential generator
Identifying hashes
Chapter 8: Payloads and Shells
Introduction
Extracting data through HTTP requests
Creating an HTTP C2
Creating an FTP C2
Creating an Twitter C2
Creating a simple Netcat shell
Chapter 9: Reporting
Introduction
Converting Nmap XML to CSV
Extracting links from a URL to Maltego
Extracting e-mails to Maltego
Parsing Sslscan into CSV
Generating graphs using plot.ly

What You Will Learn

  • Enumerate users on web apps through Python
  • Develop complicated header-based attacks through Python
  • Deliver multiple XSS strings and check their execution success
  • Handle outputs from multiple tools and create attractive reports
  • Create PHP pages that test scripts and tools
  • Identify parameters and URLs vulnerable to Directory Traversal
  • Replicate existing tool functionality in Python
  • Create basic dial-back Python scripts using reverse shells and basic Python PoC malware

Authors

Table of Contents

Chapter 1: Gathering Open Source Intelligence
Introduction
Gathering information using the Shodan API
Scripting a Google+ API search
Downloading profile pictures using the Google+ API
Harvesting additional results from the Google+ API using pagination
Getting screenshots of websites with QtWebKit
Screenshots based on a port list
Spidering websites
Chapter 2: Enumeration
Introduction
Performing a ping sweep with Scapy
Scanning with Scapy
Checking username validity
Brute forcing usernames
Enumerating files
Brute forcing passwords
Generating e-mail addresses from names
Finding e-mail addresses from web pages
Finding comments in source code
Chapter 3: Vulnerability Identification
Introduction
Automated URL-based Directory Traversal
Automated URL-based Cross-site scripting
Automated parameter-based Cross-site scripting
Automated fuzzing
jQuery checking
Header-based Cross-site scripting
Shellshock checking
Chapter 4: SQL Injection
Introduction
Checking jitter
Identifying URL-based SQLi
Exploiting Boolean SQLi
Exploiting Blind SQL Injection
Encoding payloads
Chapter 5: Web Header Manipulation
Introduction
Testing HTTP methods
Fingerprinting servers through HTTP headers
Testing for insecure headers
Brute forcing login through the Authorization header
Testing for clickjacking vulnerabilities
Identifying alternative sites by spoofing user agents
Testing for insecure cookie flags
Session fixation through a cookie injection
Chapter 6: Image Analysis and Manipulation
Introduction
Hiding a message using LSB steganography
Extracting messages hidden in LSB
Hiding text in images
Extracting text from images
Enabling command and control using steganography
Chapter 7: Encryption and Encoding
Introduction
Generating an MD5 hash
Generating an SHA 1/128/256 hash
Implementing SHA and MD5 hashes together
Implementing SHA in a real-world scenario
Generating a Bcrypt hash
Cracking an MD5 hash
Encoding with Base64
Encoding with ROT13
Cracking a substitution cipher
Cracking the Atbash cipher
Attacking one-time pad reuse
Predicting a linear congruential generator
Identifying hashes
Chapter 8: Payloads and Shells
Introduction
Extracting data through HTTP requests
Creating an HTTP C2
Creating an FTP C2
Creating an Twitter C2
Creating a simple Netcat shell
Chapter 9: Reporting
Introduction
Converting Nmap XML to CSV
Extracting links from a URL to Maltego
Extracting e-mails to Maltego
Parsing Sslscan into CSV
Generating graphs using plot.ly

Book Details

ISBN 139781784392932
Paperback224 pages
Read More
From 1 reviews

Read More Reviews

Recommended for You