You will learn about the web app penetration-testing methodology, the toolset, and our lab environment.
- [Instructor] Hi, and welcome to the second video of section one, Introduction to Web Application Penetration Testing. In this section, we're going to present an overview of the course content, why it is important to perform penetration testing, learn about the web application testing methodology, the tools used by professional penetration testers, and finally, we will introduce our lab environment and the target testing application. Now, we move on to the first video of this section.
Here we will understand what the web application penetration testing is and the process behind it. In this video, we will start by learning what is web application penetration testing, the importance of performing these tests, how professional methodologies look like, and finally, we're going to briefly explain why it is important to have skills to use Python to write our own tools. Penetration testing is a type of security testing that evaluates the security of an application from the perspective of an attacker.
It is an offensive exercise where you have to think like an attacker, understand the developers and the technology involved in order to unveil all the flaws. The goal is to identify all the flaws and demonstrate how they can be exploited by an attacker and what will be the impact for our company. Finally, the report will provide solutions to fix the issues detected. It's a manual and dynamic test. Manual means that it heavily depends on the knowledge of the person doing the test, and that is why learning how to write your own penetration testing tools is important and will give you an edge in your career.
It is dynamic test, which means that we test the running application. It is not a static analysis of the source code. The security test is useful to validate and verify the effectiveness of the application's security controls and to identify the lacks of those security controls. So why should we perform penetration testing? Nowadays, IT has taken the world by storm. Most of the company processes and data are handled by computers.
This is the reason why companies need to invest in security testing in order to validate the effectiveness of security controls and many a times, the lack of them. One report by EMC states that the average report and your financial loss per company is 497,000 US dollars for downtime, 860,273 US dollars for security breach, and 585,000 for data loss plus all the time the company resources are put into incident response and fixing, testing, deploying the issue.
That is why performing penetration testing will help companies to protect their customer's data, intellectual property, and services. Penetration testing is a simple methodology formed by four main sections. First, we will start with the reconnaissance phase. In this phase, we're going to gather information to identify the technologies used, the infrastructure supporting the application, software configuration, load balancers, et cetera.
This phase is also known as fingerprinting. Then, we move into the mapping phase where we build a map or diagram of the application pages and functionalities. We aim to identify the components and their relationship. One of the techniques to support the mapping is the spidering or crawling. Also in this phase, we're going to discover non-linked resources by performing brute force attacks.
Once we have all the components, parameters, forms, functionalities mapped out, we move to phase three where we're going to start the vulnerability discovery. After identifying all the vulnerabilities, we can move to the last phase, which is the exploitation of the vulnerabilities. And depending on the scope of the pen test, once you exploit a vulnerability, you can start the process all over again from your new vantage point, usually the target DMZ, which you will try to get into their internal network segment.
One step that is not represented here is the reporting phase where you document all the findings to present to your customer company. Finally, there are two types of penetration tests, the black box and the white box. Black box test takes place when you don't have any information about the target, basically the same situation as an attacker, and white box takes place when the customer provides us with documentation, source code, configurations to accelerate the process and focus in interesting areas only.
You may be wondering, what areas should you test during this process? These are some of the most important ones to cover, configuration and deployment management testing, identity management testing, authentication testing, authorization testing, session management testing, input validation, testing error handling, cryptography, business logic testing, client side testing.
We're going to cover some of these areas in this training. I encourage you to expand your knowledge on these areas by reading the OWASP Testing Guide. So why build your own tools? Web applications are very different since they are developed using multiple technologies, combinations, flows, and implementations. This is the reason why there is not a single tool that will cover all the scenarios that you will find during your career.
Many times, we are going to write scripts to test specific issues, automate certain tasks, and to exploit a vulnerability. During this training, we're going to see how to write tools and test different areas like authentication, input validation, discovery, and we end up writing a simple HTTP proxy that could be the foundation of our own security scanner. Writing your own tools is a valuable skill that will put you ahead of many penetration testers that do not have the capability to adapt tools or write their own.
And in certain penetration test engagements, this could make all the difference. In this video, we have seen what is a web application penetration testing, why it is important to perform the test, what is the methodology to follow when performing a penetration test, the different domains that need to be covered, and why it is important to know how to write your own tools with Python. In the next video, we're going to see what are the typical tools used by penetration testers.
Some of these tools are HTTP proxies, brute forcers, password crackers, vulnerability scanners, and many others.
Stop using automated testing tools. Customize and write your own tests with Python! While there are an increasing number of sophisticated ready-made tools to scan systems for vulnerabilities, Python allows testers to write system-specific scripts—or alter and extend existing testing tools—to find, exploit, and record as many security weaknesses as possible. This course will give you the necessary skills to write custom tools for different scenarios and modify existing Python tools to suit your application's needs.
Christian Martorella starts off by providing an overview of the web application penetration testing process and the tools the professionals use to perform these tests. Next he shows how to interact with web applications using Python, HTTP, and the Requests library. Then follow the web application penetration testing methodology. Each section contains practical Python examples. To finish off, Christian shows how to use the tools against a vulnerable web application created specifically for this course.
- Understanding web penetration testing
- Interacting with web applications via HTTP and the Requests library
- Analyzing HTTP responses
- Web crawling with Scrapy
- Extracting information
- Discovering resources
- Testing passwords
- Detecting and exploiting SQL injection vulnerabilities
- Intercepting HTTP requests