[ Auditing With OWASP ] :: [ Class 1: Beginning ]

The OWASP Top Ten Project

First, see the wiki entry on the project at:
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

The Top Ten proper:
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
(yes really).

While you’re at it, get the Testing Checklist:
https://www.owasp.org/index.php/Testing_Checklist

You’ll need the OWASP Proactive Controls for Developers:
https://www.owasp.org/images/b/bc/OWASP_Top_10_Proactive_Controls_V3.pdf

Assignments

  1. Install the FoxyProxy plugin in Firefox.
  2. Download and set up Burp Suite. Configure FoxyProxy to use Burp as necessary.
  3. Download and set up OWASP ZAP.
  4. Set up XAMPP so you’ll have a local testing target:
    https://www.apachefriends.org/download.html
  5. Download and set up bWAPP:
    https://sourceforge.net/projects/bwapp/files/bee-box/

Practice and Process

In the Testing Guide, conduct the 4.2 Information Gathering steps.

Targets for Testing the OWASP Top 10 Vulnerabilities

Root-me.org has Web Client and Web Server areas. You will need to set up an account.
https://www.root-me.org/en/Challenges/Web-Client/

HackThisSite has several categories of challenges. Yes, create an account. You’ll use it.
https://www.hackthissite.org/

Mutillidae (included in Metasploitable2)

DVWA: Damn Vulnerable Web App

bWAPP:
https://sourceforge.net/projects/bwapp/files/bee-box/

Series Navigation<< [ Security Auditing With the OWASP Top 10 ][ Auditing With OWASP ] :: [ Class 2: Injection ] >>

Leave a Reply