We need to set up the testing environment and we would use VirtualBox, VM, text editor, and the vulnerable web application we are going to use as a target of our tests.
- [Martorella] In the previous video we learned what are the tools that a professional penetration tester use when testing a web application. In this video, we're going to take a look at our testing lab environment. We will start by installing the VirtualBox software to run our lab VM. We are going to access the vulnerable web application, get familiar with the text editor, and finally I will give you an important warning. The first tool that we need is VirtualBox.
This will allow you to run the lab environment virtual machine created for this training. You can download VirtualBox from virtualbox.org/wiki/Downloads. Choose your host OS and download the installer. After downloading VirtualBox, we can download the virtual machine created for this course. Once the file is downloaded, we can proceed with the installation of VirtualBox.
Install VirtualBox. In my case, double-click on the .dmg file. We follow the installation instructions. And once we are finished, we decompress the lab virtual machine.
In my case, I use an archive in OSX. You can use 7-Zip in other platforms.
Once decompressed, we will start VirtualBox. We are going to open the VM. Once the VM is loaded in VirtualBox, we are going to start the machine, wait for it to boot until we get the login prompt. We are going to log in with the user Packt and the password secret. Now we have our lab ready for action.
For the purpose of this course, we have created a vulnerable web application that will allow us to test for different types of vulnerabilities using our own developed tools. The application simulates a very simple banking application. It is developed in PHP with MySQL and it is served by Apache. Now we are going to open the browser in our VM and load the URL scruffybank.com.
I created a /etc/hosts entry to redirect that hostname to localhost. This application is running in an Apache server in the VM. You should see the index page. If you click in "learn more" we will see some information, and on the top right-hand side you can access the login page.
Our last tool in the lab is the text editor where we are going to write the scripts. One possible choice would be Atom, a multi-platform open source and free editor developed by the Github folks. Feel free to install or use the editor you prefer. In order to start Atom, go to the desktop item named Atom and the editor will start with a blank file.
You can start typing code, but until you don't save the file and add an extension it won't do syntax highlighting. I will open an example in my home directory called test1.py. This is how a Python script looks in Atom. Last but not least, I want to highlight that many of the penetration testing activities, if not all of them, are not allowed to be performed without their target companies' permission.
In many countries, these activities are illegal, again, without proper permissions. Always use a testing environment whenever you want to try a new tool or technique. Again, whenever you're going to perform a penetration test for a customer, get a written authorization. In this video, we have seen the lab environment we are going to use throughout the training. We have installed VirtualBox, run the lab virtual machine, and we have accessed the testing web app Scruffy bank.
We saw a quick example of the text editor, and finally we have seen an important warning about the consequences of doing penetration testing without permission from the customer. In the next section we are going to learn how to interact with a web application using Python, understand the anatomy of an HTTP request, URL, headers, message body, and we are going to create a script to perform a request, interpret the response and its headers.
Stop using automated testing tools. Customize and write your own tests with Python! While there are an increasing number of sophisticated ready-made tools to scan systems for vulnerabilities, Python allows testers to write system-specific scripts—or alter and extend existing testing tools—to find, exploit, and record as many security weaknesses as possible. This course will give you the necessary skills to write custom tools for different scenarios and modify existing Python tools to suit your application's needs.
Christian Martorella starts off by providing an overview of the web application penetration testing process and the tools the professionals use to perform these tests. Next he shows how to interact with web applications using Python, HTTP, and the Requests library. Then follow the web application penetration testing methodology. Each section contains practical Python examples. To finish off, Christian shows how to use the tools against a vulnerable web application created specifically for this course.
- Understanding web penetration testing
- Interacting with web applications via HTTP and the Requests library
- Analyzing HTTP responses
- Web crawling with Scrapy
- Extracting information
- Discovering resources
- Testing passwords
- Detecting and exploiting SQL injection vulnerabilities
- Intercepting HTTP requests