OWASP Top 10 Lab Manual
OWASP Top 10 Lab Manual
OWASP Top 10 Lab Manual
To set up a LAMP (Linux, Apache, MySQL, PHP) or XAMPP (Cross-platform, Apache, MySQL, PHP,
Perl) web server, you need to follow a series of steps. Here's a general guide on how to set up a
LAMP or XAMPP server on a Linux system:
Install Linux:
Choose a Linux distribution like Ubuntu, CentOS, or Debian and install it on your server.
Install Apache:
Update your package manager: sudo apt update (for Ubuntu/Debian) or sudo yum update (for
CentOS).
Install Apache: sudo apt install apache2 (for Ubuntu/Debian) or sudo yum install httpd (for CentOS).
Start the Apache service: sudo service apache2 start (for Ubuntu/Debian) or sudo systemctl start
httpd (for CentOS).
Verify if Apache is running by accessing your server's IP address in a web browser. You should see
the default Apache page.
Install MySQL:
Install MySQL server: sudo apt install mysql-server (for Ubuntu/Debian) or sudo yum install mysql-
server (for CentOS).
During the installation, you'll be prompted to set a root password for MySQL.
Start the MySQL service: sudo service mysql start (for Ubuntu/Debian) or sudo systemctl start
mysqld (for CentOS).
Follow the prompts to set a password policy and remove anonymous users, disallow remote root
login, and remove test databases.
Install PHP:
Install PHP and required modules: sudo apt install php libapache2-mod-php (for Ubuntu/Debian) or
sudo yum install php php-mysql (for CentOS).
Restart Apache: sudo service apache2 restart (for Ubuntu/Debian) or sudo systemctl restart httpd
(for CentOS).
At this point, you have a LAMP server set up on your Linux system. To replicate the same setup on a
Windows system using XAMPP, follow these steps:
Download XAMPP:
1|Page
Go to the Apache Friends website (https://www.apachefriends.org/index.html) and download the
appropriate XAMPP package for Windows.
Install XAMPP:
Choose the components you want to install (Apache, MySQL, PHP, and optionally Perl) and select the
installation directory.
Launch the XAMPP Control Panel from the installation directory or Start menu.
Start Apache and MySQL by clicking the "Start" button next to their respective modules.
Verify if Apache is running by accessing "http://localhost" in a web browser. You should see the
XAMPP welcome page.
To configure PHP, open the php.ini file located in the XAMPP installation directory (e.g.,
C:\xampp\php\php.ini) and make any necessary changes.
To configure MySQL, you can use the phpMyAdmin interface accessible through the XAMPP Control
Panel.
2|Page
3|Page
4|Page
5|Page
OWASP Top 10
Introduction: The OWASP (Open Web Application Security Project) Top 10 is a list of the most critical
web application security risks. This lab manual will guide you through a series of hands-on exercises
that focus on each of the OWASP Top 10 vulnerabilities. By following these exercises, you will gain
practical knowledge and experience in identifying and mitigating these common security risks.
Lab Setup: To perform the following exercises, you will need the following components:
Burp Suite (a web application security testing tool, available in both free and professional versions)
Note: It is essential to perform these exercises in a controlled environment and with proper
authorization. Do not perform these exercises on any system or application without permission or in
violation of any laws or regulations.
Lab Manual:
Exercises:
Perform SQL injection by injecting malicious SQL queries to extract sensitive information or
manipulate the application's database.
6|Page
By Burp Suit-
Step 1-
Step 2 -
Step 3-
Step 4-
Step 5-
Step 6-
7|Page
Step 7-
Step 8-
Step 9-
Step 10-
Explore LDAP injection by injecting malicious LDAP queries to access unauthorized data or perform
unintended actions.
Exercises:
Step 1 − Login to Webgoat and navigate to 'Session Management Flaws' Section. Let us bypass the
authetication by spoofing the cookie. Below is the snapshot of the scenario.
8|Page
Step 2 − When we login using the credentials webgoat/webgoat, we find from Burp Suite that the
JSESSION ID is C8F3177CCAFF380441ABF71090748F2E while the AuthCookie = 65432ubphcfx upon
successful authentication.
Step 3 − When we login using the credentials aspect/aspect, we find from Burp Suite that the
JSESSION ID is C8F3177CCAFF380441ABF71090748F2E while the AuthCookie = 65432udfqtb upon
successful authentication.
Step 4 − Now we need to analyze the AuthCookie Patterns. The first half '65432' is common for both
authentications. Hence we are now interested in analyzing the last part of the authcookie values
such as - ubphcfx for webgoat user and udfqtb for aspect user respectively.
Step 5 − If we take a deep look at the AuthCookie values, the last part is having the same length as
that of user name. Hence it is evident that the username is used with some encryption method.
Upon trial and errors/brute force mechanisms, we find that after reversing the user name, webgoat;
we end up with taogbew and then the before alphabet character is what being used as AuthCookie.
i.e ubphcfx.
Step 6 − If we pass this cookie value and let us see what happens. Upon authenticating as user
webgoat, change the AuthCookie value to mock the user Alice by finding the AuthCookie for the
same by performing step#4 and step#5.
9|Page
__________________________________________________________________________________
Payload: <script>alert(“xss”)</script>
Stored XSS:
Payload: <script>alert(document.domain)</script>
Payload: localhost/dvwa/vulnerabilities/xss_d/?default=<script>alert(1)</script>
10 | P a g e
Insecure Direct Object References (IDOR)
Exercises: Intercept the requests as always and find out the path as highlighted below.
Once we get to know the path, we can check the response field to find the userId as shown below
11 | P a g e
Intercept the requests and you will find out the two hidden fields. users and config are the answers.
__________________________________________________________________________________
Security Misconfigurations
Exercises:
12 | P a g e
In your browser, visit the page of the web application you are testing.
Return to Burp.
Select the "Target" tab and then the "Site map" tab.
Locate and right click on the "Mutillidae" folder to bring up the context menu..
Although not necessarily a security vulnerability, directory listings are reported by Burp Scanner.
Here you can view the site map for the web application which has been populated by Burp Spider.
13 | P a g e
Return to your browser and access the directories you have chosen to investigate by adding the
directory name to the URL.
Explore the links in each file and directory you are able to find
14 | P a g e