Python Web Penetration Testing Cookbook

Python Web Penetration Testing Cookbook
By Cameron Buchanan, Terry Ip, Andrew Mabbitt, Benjamin May, Dave Mound

List Price: $44.99
Price: $44.42 Details

Availability: Usually ships in 24 hours
Ships from and sold by Amazon.com

18 new or used available from $40.34

Average customer review:
(3 customer reviews)

Product Description

Over 60 indispensable Python recipes to ensure you always have the right code on hand for web application testing

About This Book

  • Get useful guidance on writing Python scripts and using libraries to put websites and web apps through their paces
  • Find the script you need to deal with any stage of the web testing process
  • Develop your Python knowledge to get ahead of the game for web testing and expand your skillset to other testing areas

Who This Book Is For

This book is for testers looking for quick access to powerful, modern tools and customizable scripts to kick-start the creation of their own Python web penetration testing toolbox.

What You Will Learn

  • Enumerate users on web apps through Python
  • Develop complicated header-based attacks through Python
  • Deliver multiple XSS strings and check their execution success
  • Handle outputs from multiple tools and create attractive reports
  • Create PHP pages that test scripts and tools
  • Identify parameters and URLs vulnerable to Directory Traversal
  • Replicate existing tool functionality in Python
  • Create basic dial-back Python scripts using reverse shells and basic Python PoC malware

In Detail

This book gives you an arsenal of Python scripts perfect to use or to customize your needs for each stage of the testing process. Each chapter takes you step by step through the methods of designing and modifying scripts to attack web apps. You will learn how to collect both open and hidden information from websites to further your attacks, identify vulnerabilities, perform SQL Injections, exploit cookies, and enumerate poorly configured systems. You will also discover how to crack encryption, create payloads to mimic malware, and create tools to output your findings into presentable formats for reporting to your employers.


Product Details

  • Amazon Sales Rank: #1693928 in Books
  • Published on: 2015-06-30
  • Released on: 2015-06-24
  • Original language: English
  • Number of items: 1
  • Dimensions: 9.25" h x .51" w x 7.50" l, .86 pounds
  • Binding: Paperback
  • 228 pages

Editorial Reviews

About the Author

Cameron Buchanan

Cameron Buchanan is a penetration tester by trade and a writer in his spare time. He has performed penetration tests around the world for a variety of clients across many industries. Previously, he was a member of the RAF. In his spare time, he enjoys doing stupid things, such as trying to make things fly, getting electrocuted, and dunking himself in freezing cold water. He is married and lives in London.



Terry Ip

Terry Ip is a security consultant. After nearly a decade of learning how to support IT infrastructure, he decided that it would be much more fun learning how to break it instead. He is married and lives in Buckinghamshire, where he tends to his chickens.



Andrew Mabbitt

Andrew Mabbitt is a penetration tester living in London, UK. He spends his time beating down networks, mentoring, and helping newbies break into the industry. In his free time, he loves to travel, break things, and master the art of sarcasm.



Benjamin May

Benjamin May is a security test engineer from Cambridge. He studied computing for business at Aston University. With a background in software testing, he recently combined this with his passion for security to create a new role in his current company. He has a broad interest in security across all aspects of the technology field, from reverse engineering embedded devices to hacking with Python and participating in CTFs. He is a husband and a father.



Dave Mound

Dave Mound is a security consultant. He is a Microsoft Certified Application Developer but spends more time developing Python programs these days. He has been studying information security since 1994 and holds the following qualifications: C|EH, SSCP, and MCAD. He recently studied for OSCP certification but is still to appear for the exam. He enjoys talking and presenting and is keen to pass on his skills to other members of the cyber security community. When not attached to a keyboard, he can be found tinkering with his 1978 Chevrolet Camaro. He once wrestled a bear and was declared the winner by omoplata.


Customer Reviews

Most helpful customer reviews

1 of 1 people found the following review helpful.
2Needs Work
By Jeff Chart
So many of examples don't work, have to search online to fix.

0 of 1 people found the following review helpful.
5Five Stars
By Denver Water - Dawson
Wonderful published book. Great vendor!!

1 of 1 people found the following review helpful.
5So Much Good Information!
By Perry Nally
Overall an excellent read! Easy to follow scripts presented in the point of view as a hacker (including subtle remarks toward those that use these techniques for ill-fated purposes). Cameron presents an idea, shows the python script and corresponding source contents for which this script works against, then describes the scripts steps, and then goes on to describe additional related things about this script. You could say that each script could build upon each other, but that's not totally true. The author makes sure they are really cut and paste recipes. He gives you the recipe and often a way to include it into a bigger, more comprehensive script - that builds upon each step as the book progresses. Being a cookbook, there is plenty of code examples for you to try out. This is not a book about theory, but rather implementation - so all the fluff is cut out and it gets right to the point.

The book also focuses most of the direct web page vulnerability testing (2-3 chapters) at php script as the web pages' source. This would have been nice to have a corresponding discussion related to aspx, jsp, etc. There is some discussion of other technology other than php, and I get that the book would have probably doubled in size if more common page source was discussed, but it is something to think about when reading. Create the same page in aspx or jsp and attempt if there is a similar vulnerability.

Don't worry though, there's plenty of scripts related to SQL injection, header processing, encryption, encoding, payloads, shells, and even how to report your findings. These items are not necessarily exclusive to a single technology, so you are not pigeon-holed into testing only a certain type of website/server.

This book is not about learning python so if you're new to it, and you really want to understand how to manipulate each recipe, then I suggest searching for a beginner python book. However, that being said, most average level programmers can understand the scripts presented without needing to reach out for a python book/video.

Being in the industry for over 15 years, I've seen a lot of tools you can buy off the shelf that tout the ability to do this same thing just by running a program. I think knowing what it actually does is key to really understanding your vulnerabilities rather than trusting someone else's process because after all, attack vectors change all the time and with this information you can easily change your scripts.

In conclusion, this book is perfect for a web application developer wanting to test her application or an IT person ready to see just how vulnerable their application is - all with the ability to report the findings to those who need to know where to plug the holes. This is a book I will be referring to during and after each project I work on.

See all 3 customer reviews...

Connect with defaultLogic
What We've Done
Led Digital Marketing Efforts of Top 500 e-Retailers.
Worked with Top Brands at Leading Agencies.
Successfully Managed Over $50 million in Digital Ad Spend.
Developed Strategies and Processes that Enabled Brands to Grow During an Economic Downturn.
Taught Advanced Internet Marketing Strategies at the graduate level.


Manage research, learning and skills at defaultLogic. Create an account using LinkedIn or facebook to manage and organize your IT knowledge. defaultLogic works like a shopping cart for information -- helping you to save, discuss and share.


  Contact Us