- [ Security Auditing With the OWASP Top 10 ]
- [ Auditing With OWASP ] :: [ Introduction ]
- [ Auditing With OWASP ] :: [ Vulnerability A1: Injection ]
- [ Auditing With OWASP ] :: [ Vulnerability A7: Cross-Site Scripting XSS ]
The OWASP Top Ten Project
First, see the wiki entry on the project at:
https://owasp.org/www-project-top-ten/
While you’re at it, get the Testing Checklist:
https://www.owasp.org/index.php/Testing_Checklist
You’ll need the OWASP Proactive Controls for Developers:
https://www.owasp.org/images/b/bc/OWASP_Top_10_Proactive_Controls_V3.pdf
Assignments
-
- Install the FoxyProxy plugin in Firefox.
- Download and set up Burp Suite. Configure FoxyProxy to use Burp as necessary.
- Download and set up OWASP ZAP.
- Set up XAMPP so you’ll have a local testing target:
https://www.apachefriends.org/download.html - Download and set up bWAPP under XAMPP:
https://sourceforge.net/projects/bwapp/files/bee-box/
Practice and Process
In the Testing Checklist, conduct the Section 4.2 Information Gathering steps against a target website.
Online Sites for Testing the OWASP Top 10 Vulnerabilities
Root-me.org has Web Client and Web Server areas. You will need to set up an account.
https://www.root-me.org/en/Challenges/Web-Client/
HackThisSite has several categories of challenges. Yes, create an account. You’ll use it.
https://www.hackthissite.org/
TryHackMe has a unique “rooms” layout with a great progression that lets you start from no knowledge and learn until your brain burns out.
https://tryhackme.com/
Sample Web Applications to Practice Testing
Mutillidae (included in Metasploitable2)
DVWA: Damn Vulnerable Web App
bWAPP:
https://sourceforge.net/projects/bwapp/files/bee-box/