The OWASP Top Ten Project
First, see the wiki entry on the project at:
While you’re at it, get the Testing Checklist:
You’ll need the OWASP Proactive Controls for Developers:
- Install the FoxyProxy plugin in Firefox.
- Download and set up Burp Suite. Configure FoxyProxy to use Burp as necessary.
- Download and set up OWASP ZAP.
- Set up XAMPP so you’ll have a local testing target:
- Download and set up bWAPP under XAMPP:
Practice and Process
In the Testing Checklist, conduct the Section 4.2 Information Gathering steps against a target website.
Online Sites for Testing the OWASP Top 10 Vulnerabilities
Root-me.org has Web Client and Web Server areas. You will need to set up an account.
HackThisSite has several categories of challenges. Yes, create an account. You’ll use it.
TryHackMe has a unique “rooms” layout with a great progression that lets you start from no knowledge and learn until your brain burns out.
Sample Web Applications to Practice Testing
Mutillidae (included in Metasploitable2)
DVWA: Damn Vulnerable Web App