Book Image

Python Web Penetration Testing Cookbook

By : Benjamin May, Cameron Buchanan, Andrew Mabbitt, Dave Mound, Terry Ip
Book Image

Python Web Penetration Testing Cookbook

By: Benjamin May, Cameron Buchanan, Andrew Mabbitt, Dave Mound, Terry Ip

Overview of this book

Table of Contents (16 chapters)
Python Web Penetration Testing Cookbook
About the Authors
About the Reviewers


Welcome to our book on Python and web application testing. Penetration testing is a massive field and the realms of Python are even bigger. We hope that our little book can help you make these enormous fields a little more manageable. If you're a Python guru, you can look for ideas to apply your craft to penetration testing, or if you are a newbie Pythonist with some penetration testing chops, then you're in luck, this book is also for you.

What this book covers

Chapter 1, Gathering Open Source Intelligence, covers a set of recipes for collecting information from freely available sources.

Chapter 2, Enumeration, guides you through creating scripts to retrieve the target information from websites and validating potential credentials.

Chapter 3, Vulnerability Identification, covers recipes based on identifying potential vulnerabilities on websites, such as Cross-site scripting, SQL Injection, and outdated plugins.

Chapter 4, SQL Injection, covers how to create scripts that target everyone's favorite web application vulnerability.

Chapter 5, Web Header Manipulation, covers scripts that focus specifically on the collection, control, and alteration of headers on web applications.

Chapter 6, Image Analysis and Manipulation, covers recipes designed to identify, reverse, and replicate steganography in images.

Chapter 7, Encryption and Encoding, covers scripts that dip their toes into the massive lake that is encryption.

Chapter 8, Payloads and Shells, covers a small set of proof of concept C2 channels, basic post-exploitation scripts, and on server enumeration tools.

Chapter 9, Reporting, covers scripts that focus to make the reporting of vulnerabilities easier and a less painful process.

What you need for this book

You will need a laptop, Python 2.7, an Internet connection for most recipes and a good sense of humor.

Who this book is for

This book is for testers looking for quick access to powerful, modern tools and customizable scripts to kick-start the creation of their own Python web penetration testing toolbox.


In this book, you will find several headings that appear frequently (Getting ready, How to do it, How it works, There's more, and See also).

To give clear instructions on how to complete a recipe, we use these sections as follows:

Getting ready

This section tells you what to expect in the recipe, and describes how to set up any software or any preliminary settings required for the recipe.

How to do it…

This section contains the steps required to follow the recipe.

How it works…

This section usually consists of a detailed explanation of what happened in the previous section.

There's more…

This section consists of additional information about the recipe in order to make the reader more knowledgeable about the recipe.

See also

This section provides helpful links to other useful information for the recipe.


In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "first it sends the HTTP GET request to the API server, then it reads in the response and stores the output into an api_response variable."

A block of code is set as follows:

import urllib2
import json

GOOGLE_API_KEY = "{Insert your Google API key}"
target = ""
api_response = urllib2.urlopen(" query="+target+"&key="+GOOGLE_API_KEY).read()

json_response = json.loads(api_response)
for result in json_response['items']:
      name = result['displayName']
      print name
      image = result['image']['url'].split('?')[0]
  f = open(name+'.jpg','wb+')

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in highlighted:

a = str((A * int(str(i)+'00') + C) % 2**M)
    if a[-2:] == "47":

Any command-line input or output is written as follows:

$ pip install plotly
Query failed: ERROR: syntax error at or near

New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "Click on API & auth | Credentials. Click on Create new key and Server key."


Warnings or important notes appear in a box like this.


Tips and tricks appear like this.

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.

To send us general feedback, simply e-mail , and mention the book's title in the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the example code

You can download the example code files from your account at for all the Packt Publishing books you have purchased. If you purchased this book elsewhere, you can visit and register to have the files e-mailed directly to you.


Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.

To view the previously submitted errata, go to and enter the name of the book in the search field. The required information will appear under the Errata section.


Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.

Please contact us at with a link to the suspected pirated material.

We appreciate your help in protecting our authors and our ability to bring you valuable content.


If you have a problem with any aspect of this book, you can contact us at , and we will do our best to address the problem.