Week 6: Web Application Security

Path: Ethical Hacking | Module: 6 of 8

Attacking the Front Door

Web Applications are the most common attack surface today. They are custom code, often full of bugs.

1. OWASP Top 10

The Open Web Application Security Project maintains a list of the 10 most critical web risks.

  • Injection (SQLi): Tricking the database into dumping secrets.
  • Broken Authentication: Guessing passwords or stealing session cookies.
  • Cross-Site Scripting (XSS): Injecting malicious JavaScript into a page viewed by other users.

2. Tools of the Trade

  • Burp Suite: An intercepting proxy. It lets you pause a web request, edit it (change "price=100" to "price=0"), and forward it to the server.

🔬 Lab Exercise: DVWA (SQL Injection)

Objective: Steal the database.

  1. Access the DVWA (Damn Vulnerable Web App) running on Metasploitable via your browser.
  2. Go to "SQL Injection".
  3. In the User ID box, type: 1' OR '1'='1.
  4. Click Submit.
  5. Because 1=1 is always true, the database returns all users, not just User #1.
← Previous Week Next: Post-Exploitation →