[ Auditing With OWASP ] :: [ Introduction ]

The OWASP Top Ten Project

First, see the wiki entry on the project at:
https://owasp.org/www-project-top-ten/

While you’re at it, get the Testing Checklist:
https://www.owasp.org/index.php/Testing_Checklist

You’ll need the OWASP Proactive Controls for Developers:
https://www.owasp.org/images/b/bc/OWASP_Top_10_Proactive_Controls_V3.pdf

Assignments

    1. Install the FoxyProxy plugin in Firefox.
    2. Download and set up Burp Suite. Configure FoxyProxy to use Burp as necessary.
    3. Download and set up OWASP ZAP.
    4. Set up XAMPP so you’ll have a local testing target:
      https://www.apachefriends.org/download.html
    5. Download and set up bWAPP under XAMPP:
      https://sourceforge.net/projects/bwapp/files/bee-box/

Practice and Process

In the Testing Checklist, conduct the Section 4.2 Information Gathering steps against a target website.

Online Sites for Testing the OWASP Top 10 Vulnerabilities

Root-me.org has Web Client and Web Server areas. You will need to set up an account.
https://www.root-me.org/en/Challenges/Web-Client/

HackThisSite has several categories of challenges. Yes, create an account. You’ll use it.
https://www.hackthissite.org/

TryHackMe has a unique “rooms” layout with a great progression that lets you start from no knowledge and learn until your brain burns out.
https://tryhackme.com/

Sample Web Applications to Practice Testing

Mutillidae (included in Metasploitable2)

DVWA: Damn Vulnerable Web App

bWAPP:
https://sourceforge.net/projects/bwapp/files/bee-box/

Series Navigation<< [ Security Auditing With the OWASP Top 10 ][ Auditing With OWASP ] :: [ Vulnerability A1: Injection ] >>

Leave a Reply