cybersecurity/HacktivityLabSheets
1
0
Fork 0
mirror of https://github.com/cliffe/HacktivityLabSheets.git synced 2026-02-21 11:18:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
64a417199a57b69f5480e832af7c3480076eff25
HacktivityLabSheets/_labs/lab2-web-vulnerability-assessment.md
copilot-swe-agent[bot] 8acae08d3e Implement GitHub Pages site with lab index and sample content 
Co-authored-by: cliffe <670192+cliffe@users.noreply.github.com>
2025-09-15 21:35:41 +00:00

7.1 KiB
Raw Blame History

title, description, difficulty, duration, prerequisites, tags
title description difficulty duration prerequisites tags
Lab 2: Web Application Vulnerability Assessment Explore common web application vulnerabilities using OWASP ZAP and manual testing techniques Intermediate 90 minutes Basic understanding of HTTP, HTML, and web applications
web security
OWASP
vulnerability assessment
ZAP
SQL injection

Objectives

By the end of this lab, you will be able to:

  • Set up and configure OWASP ZAP for web application testing
  • Identify common web application vulnerabilities
  • Perform manual and automated vulnerability assessments
  • Understand the OWASP Top 10 vulnerabilities in practice
  • Document findings and provide remediation recommendations

Prerequisites

  • Understanding of HTTP protocol and web technologies
  • Basic knowledge of HTML, CSS, and JavaScript
  • Familiarity with web browsers and developer tools
  • Access to OWASP ZAP and a vulnerable web application

Lab Environment Setup

  1. Install OWASP ZAP

    # On Kali Linux
sudo apt update && sudo apt install zaproxy

# Or download from https://www.zaproxy.org/download/

  2. Target Application

    • We'll use DVWA (Damn Vulnerable Web Application)
    • Alternative: WebGoat or Mutillidae
    • Ensure the application is running locally or on an isolated network

  3. Browser Configuration

    • Configure your browser to use ZAP as a proxy
    • Install any necessary certificates

Exercise 1: Passive Scanning and Reconnaissance

Step 1: Configure ZAP Proxy

  1. Start OWASP ZAP
  2. Configure your browser to use 127.0.0.1:8080 as HTTP proxy
  3. Install ZAP's root certificate in your browser

Step 2: Spider the Application

  1. Navigate to your target application (e.g., http://localhost/dvwa)
  2. Log in with default credentials
  3. Use ZAP's spider to crawl the application:
    • Right-click on the target URL in ZAP
    • Select "Attack" → "Spider"
    • Configure spider settings as needed

Questions:

  1. How many pages did the spider discover?
  2. What different types of content were found?
  3. Are there any hidden directories or files?

Step 3: Passive Vulnerability Detection

Review the passive scan results in ZAP:

Questions:

  1. What passive vulnerabilities were detected?
  2. Which findings have the highest risk rating?
  3. Are there any false positives?

Exercise 2: Active Vulnerability Scanning

Step 1: Configure Active Scan

  1. Select the target application in ZAP's site tree
  2. Right-click and choose "Attack" → "Active Scan"
  3. Configure scan policies and parameters

Step 2: Analyze Active Scan Results

Monitor the active scan progress and results:

Questions:

  1. What new vulnerabilities were discovered during active scanning?
  2. How do the results differ from passive scanning?
  3. Which vulnerabilities pose the greatest risk?

Exercise 3: Manual Vulnerability Testing

Step 1: SQL Injection Testing

Test for SQL injection vulnerabilities manually:

  1. Identify Input Fields

    • Login forms
    • Search boxes
    • URL parameters

  2. Test Basic SQL Injection

    ' OR '1'='1
' OR 1=1--
admin'--

  3. Advanced SQL Injection

    ' UNION SELECT null,user(),version()--
' UNION SELECT null,database(),@@version--

Questions:

  1. Which input fields are vulnerable to SQL injection?
  2. What information can you extract from the database?
  3. Can you bypass authentication using SQL injection?

Step 2: Cross-Site Scripting (XSS) Testing

Test for XSS vulnerabilities:

  1. Reflected XSS

    <script>alert('XSS')</script>
<img src="x" onerror="alert('XSS')">

  2. Stored XSS

    • Submit malicious payloads through forms
    • Check if they persist and execute for other users

  3. DOM-based XSS

    • Test client-side input handling
    • Examine JavaScript code for vulnerabilities

Questions:

  1. Where can XSS payloads be successfully injected?
  2. What types of XSS vulnerabilities are present?
  3. How could these be exploited in a real attack?

Step 3: Authentication and Session Management

Test authentication mechanisms:

  1. Weak Password Policy

    • Try common passwords
    • Test password complexity requirements

  2. Session Management

    • Examine session tokens
    • Test session fixation
    • Check for session timeout

Questions:

  1. Are there weaknesses in the authentication system?
  2. How secure are the session management mechanisms?
  3. Can sessions be hijacked or predicted?

Exercise 4: Advanced Testing Techniques

Step 1: Directory Traversal

Test for path traversal vulnerabilities:

../../../etc/passwd
..\..\..\..\windows\system32\drivers\etc\hosts

Step 2: File Upload Vulnerabilities

If file upload functionality exists:

  1. Test uploading different file types
  2. Try to upload malicious files (PHP shells, etc.)
  3. Check file validation mechanisms

Step 3: Business Logic Flaws

Look for application-specific vulnerabilities:

  1. Price manipulation in e-commerce
  2. Privilege escalation
  3. Workflow bypass

Documentation and Reporting

Vulnerability Report Template

Create a comprehensive report including:

  1. Executive Summary

    • High-level findings
    • Risk assessment
    • Business impact

  2. Technical Findings

    • Detailed vulnerability descriptions
    • Proof of concept
    • CVSS scores

  3. Remediation Recommendations

    • Specific fix instructions
    • Best practices
    • Timeline for fixes

Risk Prioritization

Classify vulnerabilities by:

  • Critical: Remote code execution, SQL injection with data access
  • High: Authentication bypass, sensitive data exposure
  • Medium: XSS, information disclosure
  • Low: Minor configuration issues

Remediation Verification

After implementing fixes:

  1. Retest Previously Vulnerable Areas

    • Verify fixes are effective
    • Ensure no new vulnerabilities introduced

  2. Regression Testing

    • Test application functionality
    • Verify security controls work properly

Additional Challenges

  1. Custom Payloads: Create your own injection payloads
  2. Automated Testing: Write custom ZAP scripts
  3. Mobile Testing: If applicable, test mobile app versions
  4. API Testing: Test REST/SOAP APIs for vulnerabilities

Resources

Conclusion

This lab provided hands-on experience with web application security testing using both automated tools and manual techniques. You learned to identify, exploit, and document common web vulnerabilities while understanding their potential impact and remediation strategies.

Key takeaways:

  • Automated tools are helpful but manual testing is essential
  • Understanding the business context is crucial for risk assessment
  • Proper documentation enables effective remediation
  • Regular testing should be part of the development lifecycle

Always ensure you have proper authorization before testing any web application!

Reference in New Issue View Git Blame Copy Permalink