You will learn about the traditional tools used by security professionals to perform penetration tests. This will provide a basic understanding of the most important type of tools used, and give us ideas on what we can build with Python.
- [Narrator] Hi, welcome to the third video of section one. In the previous video, we learned about penetration testing. The mythology of performing web application penetration tests. And the different areas of interest to look for when testing web applications. In this video, we're going to take a look at the different tools used by security professionals to perform web application penetration tests. We will cover HTTP proxies, crawlers and spiders, vulnerability scanners, brute forcers, and some tools used for specific tasks.
The most important tool for testing web applications is the HTTP proxy. This tool allows you to intercept all the communication between the browser and the server in both directions. These proxies are called man-in-the-middle proxies. These tools will let us understand how an application works, then most importantly it will allow us to intercept the request, responses, and modify them. Usually, the proxy will run in the same machine as the browser you're using for testing the application.
The most used HTTP proxies by security professionals are Burp Suite from PortSwigger security and Zed Attack Proxy, also known as Zap. We also have mitmproxy, it is a newer alternative developed in Python and good to build tools or automate certain scenarios. The downside is that it's only console and there is no GUI. Which for our purposes, is a benefit.
Then we have crawlers and spiders. These tools are used for mapping web applications, automating the task of cataloging all the content and functionality. The tool automatically crawls the application by following all the links it finds, submitting forms, and analyzing the responses for new content. And repeating this process until it covers the whole application. There are standalone crawlers and spiders, like Scrapy written in Python.
So the proxy will see it and add it to the crawler catalog. We are going to see Scrapy in more detail later. Now we step into more complex tools. The vulnerability scanners. These tools are considered more complex, as they have to automate most of the security testing methodology in one tool. They will do the crawling, discovery, vulnerability detection, and some of the exploitation.
The two most used opensource web application security scanners are W3AF, written in Python, and Arachni, which is written in Ruby. There are multiple commercial alternatives, like Acunetix, which is one of the cheapest and provides good value for money. Web brute forcers or discovery tools are used to find content like files, directories, servlets, or parameters through dictionary attack.
These tools use word lists put together by security professionals during the last 10 years. Containing known file names, directories, or just words found in different products or web applications. The precursor for these types of tools was DIRB, which is still available and maintained by Dark Raver. Another great alternative is Wfuzz, which I developed in the past and is now maintained and developed by Xavier Mendez.
You can find this tool in Kali, the most used penetration testing distribution. Tools like Burp and Zap provide these capabilities. All these tools benefit from word lists. Like the ones provided by FuzzDB, a database of word lists for web application testing. We're going to see how to build a tool for this purpose similar to Wfuzz. Then we have a vast array of tools that are focused to specific tasks, such as encoders and hashers.
Base64, MD5, SHA1, and Unicode. Tools that are created to exploit a specific type of vulnerability, for example SQL injectors, like SQL Map, XSS consoles like Beef, to demonstrate the impact of AXSS. DOM XSS scanners like Dominator and many more. Also, an important type of tool in the toolkit are the post exploitation tools.
These tools are needed once you manage to exploit a vulnerability and help you to control the server, upload files, shells, proxy content to internal network, and help you expand your attack internally. There are many other tools to overcome the infinite challenges we find testing new applications and technologies. In this video, we have seen the tools that make the web application pen tester toolkit. This will help us understand how the tools aligns with the methodology.
And will also serve as inspiration when we need to create our own tools. Learning from them and understanding how they work. In the next video, we're going to see how to set up the environment for this training and the tools you'll need to install.
Stop using automated testing tools. Customize and write your own tests with Python! While there are an increasing number of sophisticated ready-made tools to scan systems for vulnerabilities, Python allows testers to write system-specific scripts—or alter and extend existing testing tools—to find, exploit, and record as many security weaknesses as possible. This course will give you the necessary skills to write custom tools for different scenarios and modify existing Python tools to suit your application's needs.
Christian Martorella starts off by providing an overview of the web application penetration testing process and the tools the professionals use to perform these tests. Next he shows how to interact with web applications using Python, HTTP, and the Requests library. Then follow the web application penetration testing methodology. Each section contains practical Python examples. To finish off, Christian shows how to use the tools against a vulnerable web application created specifically for this course.
- Understanding web penetration testing
- Interacting with web applications via HTTP and the Requests library
- Analyzing HTTP responses
- Web crawling with Scrapy
- Extracting information
- Discovering resources
- Testing passwords
- Detecting and exploiting SQL injection vulnerabilities
- Intercepting HTTP requests