A hands-on application security project demonstrating common web vulnerabilities using OWASP WebGoat, Burp Suite, Firefox Developer Tools, and custom proof-of-concept exploits.
This repository documents the identification, analysis, and controlled exploitation of several widely known web application vulnerabilities, including SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Path Traversal.
The project focuses on understanding how these vulnerabilities arise, how attackers exploit them, and how organizations can mitigate the associated risks through secure development practices.
- Gain practical experience with common web application vulnerabilities
- Develop familiarity with application security testing workflows
- Analyze HTTP requests and responses
- Perform controlled vulnerability exploitation in a safe environment
- Document findings and mitigation strategies
- Strengthen understanding of secure software development principles
| Vulnerability | CWE | Skills Demonstrated |
|---|---|---|
| SQL Injection | CWE-89 | Query manipulation, authentication bypass, data access control analysis |
| Cross-Site Scripting (XSS) | CWE-79 | Input validation testing, output encoding analysis, client-side security |
| Cross-Site Request Forgery (CSRF) | CWE-352 | Session abuse testing, request replication, authentication workflow analysis |
| Path Traversal | CWE-22 | File system security assessment, request tampering, filter bypass testing |
Used as the primary training platform to simulate intentionally vulnerable web applications.
Topics explored:
- SQL Injection
- XSS
- CSRF
- Path Traversal
- Input validation weaknesses
- Access control issues
Used for:
- HTTP traffic interception
- Request analysis
- Request modification
- Parameter manipulation
- Security testing workflows
Used for:
- Source code inspection
- Route discovery
- Client-side analysis
- DOM inspection
- JavaScript debugging
Used to create:
- CSRF proof-of-concept forms
- Test payloads
- Attack demonstrations
- Documentation artifacts
The exercises in this repository followed a structured testing process:
Information Gathering
↓
Attack Surface Discovery
↓
Traffic Analysis
↓
Input Validation Testing
↓
Vulnerability Identification
↓
Controlled Exploitation
↓
Impact Assessment
↓
Documentation & Mitigation
This workflow mirrors the approach commonly used in application security assessments and penetration testing engagements.
- Vulnerability Assessment
- Security Testing
- Attack Simulation
- Security Validation
- HTTP/HTTPS
- Session Management
- HTML Forms
- Browser Security Models
- Client-Server Architecture
- Authentication & Authorization
- Input Validation
- Output Encoding
- Access Controls
- Defense in Depth
- Least Privilege
- Technical Reporting
- Root Cause Analysis
- Security Impact Assessment
- Mitigation Planning
Through these exercises, I gained hands-on experience in:
- Identifying vulnerable application components
- Analyzing web traffic and application behavior
- Crafting and testing attack payloads
- Evaluating security controls
- Understanding real-world attack methodologies
- Documenting findings in a structured and reproducible manner
The project reinforced the importance of secure coding practices, layered security controls, and continuous application security testing throughout the software development lifecycle.
All activities documented in this repository were performed exclusively within intentionally vulnerable educational environments designed for security training.
No testing was conducted against production systems, third-party applications, or unauthorized targets.
The purpose of this project is educational and defensive in nature, with a focus on understanding vulnerabilities and improving security awareness.
Natnael Haile