In the previous video, we saw how mitmproxy works and how to manipulate the HTTP communication. Now, let’s take a look at how can we put together what we discussed before about SQLi in order to scan for SQLi issues while we browse.
- [Instructor] Hi, and welcome to video four…of section seven.…In the previous video we saw how to manipulate…an HTTP request using mitmproxy.…In this video we're going to learn how we can automate…a test case for SQL injection in mitmproxy,…creating an inline script that we will use,…the request handler, and some of the things we learned…in the previous sections.…In this video we're going to start defining…the objective we want to achieve with the inline script,…then we're going to work on the script,…and finally we're going to test the SQL injection script…we created against our web application.…
The objective of this video is to create an inline script…for mitmproxy that will allow us to test for SQL injection…in every URL that has a parameter.…So the process we need to do is for every URL…that has parameters we need to replace each parameter…value by FUZZ while conserving…the rest of the parameter's values,…instead of replacing all the values by FUZZ at once.…Then we replace FUZZ string in each URL…by each value in the injection's array.…
Stop using automated testing tools. Customize and write your own tests with Python! While there are an increasing number of sophisticated ready-made tools to scan systems for vulnerabilities, Python allows testers to write system-specific scripts—or alter and extend existing testing tools—to find, exploit, and record as many security weaknesses as possible. This course will give you the necessary skills to write custom tools for different scenarios and modify existing Python tools to suit your application's needs.
Christian Martorella starts off by providing an overview of the web application penetration testing process and the tools the professionals use to perform these tests. Next he shows how to interact with web applications using Python, HTTP, and the Requests library. Then follow the web application penetration testing methodology. Each section contains practical Python examples. To finish off, Christian shows how to use the tools against a vulnerable web application created specifically for this course.
- Understanding web penetration testing
- Interacting with web applications via HTTP and the Requests library
- Analyzing HTTP responses
- Web crawling with Scrapy
- Extracting information
- Discovering resources
- Testing passwords
- Detecting and exploiting SQL injection vulnerabilities
- Intercepting HTTP requests