Skip to content

natnaelhhaile/owasp-web-attacks-demo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Security OWASP Burp Suite Status

Web Application Security Labs

A hands-on application security project demonstrating common web vulnerabilities using OWASP WebGoat, Burp Suite, Firefox Developer Tools, and custom proof-of-concept exploits.

This repository documents the identification, analysis, and controlled exploitation of several widely known web application vulnerabilities, including SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Path Traversal.

The project focuses on understanding how these vulnerabilities arise, how attackers exploit them, and how organizations can mitigate the associated risks through secure development practices.


Project Objectives

  • Gain practical experience with common web application vulnerabilities
  • Develop familiarity with application security testing workflows
  • Analyze HTTP requests and responses
  • Perform controlled vulnerability exploitation in a safe environment
  • Document findings and mitigation strategies
  • Strengthen understanding of secure software development principles

Vulnerabilities Covered

Vulnerability CWE Skills Demonstrated
SQL Injection CWE-89 Query manipulation, authentication bypass, data access control analysis
Cross-Site Scripting (XSS) CWE-79 Input validation testing, output encoding analysis, client-side security
Cross-Site Request Forgery (CSRF) CWE-352 Session abuse testing, request replication, authentication workflow analysis
Path Traversal CWE-22 File system security assessment, request tampering, filter bypass testing

Tools Used

OWASP WebGoat

Used as the primary training platform to simulate intentionally vulnerable web applications.

Topics explored:

  • SQL Injection
  • XSS
  • CSRF
  • Path Traversal
  • Input validation weaknesses
  • Access control issues

Burp Suite

Used for:

  • HTTP traffic interception
  • Request analysis
  • Request modification
  • Parameter manipulation
  • Security testing workflows

Firefox Developer Tools

Used for:

  • Source code inspection
  • Route discovery
  • Client-side analysis
  • DOM inspection
  • JavaScript debugging

Visual Studio Code

Used to create:

  • CSRF proof-of-concept forms
  • Test payloads
  • Attack demonstrations
  • Documentation artifacts

Security Testing Methodology

The exercises in this repository followed a structured testing process:

Information Gathering
        ↓
Attack Surface Discovery
        ↓
Traffic Analysis
        ↓
Input Validation Testing
        ↓
Vulnerability Identification
        ↓
Controlled Exploitation
        ↓
Impact Assessment
        ↓
Documentation & Mitigation

This workflow mirrors the approach commonly used in application security assessments and penetration testing engagements.


Key Skills Demonstrated

Application Security

  • Vulnerability Assessment
  • Security Testing
  • Attack Simulation
  • Security Validation

Web Technologies

  • HTTP/HTTPS
  • Session Management
  • HTML Forms
  • Browser Security Models
  • Client-Server Architecture

Security Concepts

  • Authentication & Authorization
  • Input Validation
  • Output Encoding
  • Access Controls
  • Defense in Depth
  • Least Privilege

Analysis & Documentation

  • Technical Reporting
  • Root Cause Analysis
  • Security Impact Assessment
  • Mitigation Planning

Learning Outcomes

Through these exercises, I gained hands-on experience in:

  • Identifying vulnerable application components
  • Analyzing web traffic and application behavior
  • Crafting and testing attack payloads
  • Evaluating security controls
  • Understanding real-world attack methodologies
  • Documenting findings in a structured and reproducible manner

The project reinforced the importance of secure coding practices, layered security controls, and continuous application security testing throughout the software development lifecycle.


Disclaimer

All activities documented in this repository were performed exclusively within intentionally vulnerable educational environments designed for security training.

No testing was conducted against production systems, third-party applications, or unauthorized targets.

The purpose of this project is educational and defensive in nature, with a focus on understanding vulnerabilities and improving security awareness.


Author

Natnael Haile

About

A hands-on application security project demonstrating common web vulnerabilities using OWASP WebGoat, Burp Suite, Firefox Developer Tools, and custom proof-of-concept exploits.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors