Web Hacking: Become a Pentester – Lecture 12: Modern MVC Frameworks

Web Hacking: Become a Pentester – Lecture 12: Modern MVC Frameworks

In this video I introduce the concept of MVC framework and we will create a small web application with Django.

This is a preview lecture from my online web hacking training called Web Hacking: Become a Pentester.

Check out the full course: http://aetherlab.net/y/ho

My blog: http://aetherlab.net
All my traingings: http://hackademy.aetherlab.net

Transcript:
Hi,

In this lecture we will learn about how modern web applications work. Nowadays it is not really practical to write complex applications the way we have seen in the previous lectures. So there are hundreds of frameworks out there in every possible language try to solve this problem. Even if you decide what language you want to use you will still have many frameworks to choose from. Most of them have, however something in common, and that is their architecture. They follow a software design pattern called the Model-View-Controller or MVC. This concept splits the responsibilities of the application into these there components:

Model:
The model contains the business logic and manages the data. It is independent of the user interface.

View:
The view, it is kinda obvious, is what the user sees. The view is responsible to represent the data to the user how it is the best. In a web application this is basically what you see in the browser.

Controller:
The controller receives the input from the user. The controller knows what the user wants to do and based on that interacts with the model and the view components.

Now this is a really basic definition, and all frameworks have different understanding about what each component is responsible for. As I said there are lot’s of MVC frameworks, such as ASP .Net, Ruby on Rails, Django etc.., If you are going to do penetration testing for living you will meet many of them. That is also the reason why it does not make sense to learn all of them. In this lecture we will try out one, so that you understand the concept, and that should be enough to start working with any of them in the future, of course with some googleing.
(http://djangobook.com/installing-django/)

$ pip install django

$ django-admin startproject tauntaun-dispatch

$ cd tauntaun-dispatch/tauntaun-dispatch

Add the tauntaun_dispatch to the INSTALLED APPS in the settings.py. With this we are hacking the django structure a bit, but I want to keep it simple.

$ python manage.py migrate

This initializes the DB for our project.

$vim view.py

We are gonna have 2 pages one where you give you information and the other where you receive your reservation code. For these we create 2 functions in the view.py.

Now we have some simple views, but the application does not know yet what to do when it receives a request. So we have to configure what each URLs should do. To do that open the urls.py:

$ vim urls.py

In this file you can configure which URLs should be available and what should happen when they are called. We need to add two URLs, the index and the tauntaun-request. We don’t need the admin page now so we can just overwrite that:

Save and then start the server:
$ cd ..
$ python manage.py runserver

And load both URLs in the browser. They respond with the texts defined in the views. Now the app have some kind of controller which decides which view to load when a URL is called and 2 views which return something to the user. But all of this is pretty static and we don’t have a model yet.

$ vim tauntaun-dispatch/models.py

Here we basically create a table called reservations with 3 field, name, date and an automatically created id field which we will use as the reservation number.

So this file defines our data model, but we still have to make django to generate the database for us.

$ python manage.py makemigrations tauntaun_dispatch

$ python maange.py migrate

This initializes the database for our model. Under the hood django does a lot of things for us, which makes it possible that we don’t have to write SQL queries but only talk to the db model.

At this point we have a model, now we need to improve the controller and the views, so that the app actually does something.

First improve the index view to offer a form where the user can submit his name and the date he wants to reserve the tauntaun for.

$ mkdir tauntaun_dispatch/templates

$ vim tauntaun_dispatch/templates/index.html

Modify the view:

We also have to tell the app what to do when a new tauntaun request is coming. For that we have to update the tauntaun_request function:

We create a new Reservatio object with the data sent in the request and save it in the database. As you can see djange does a good job implementing data management. At the end we return the id of the newly created reservation.

Let’s try it.
….