Scribd
Upload
43 views2 pages

Lab Report 3: Software Engineering & Network Security: o o o o

This lab report presents a penetration test on a vulnerable web application to identify OWASP Top 10 vulnerabilities, revealing critical issues such as SQL Injection, XSS, and broken authentication. The test utilized various tools and methodologies, successfully demonstrating the application's susceptibility to common attacks. Recommendations for immediate remediation include improving input validation, authentication mechanisms, and secure configuration management to enhance security.

Uploaded by

Md Emon Sheikh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
43 views2 pages

Lab Report 3: Software Engineering & Network Security: o o o o

This lab report presents a penetration test on a vulnerable web application to identify OWASP Top 10 vulnerabilities, revealing critical issues such as SQL Injection, XSS, and broken authentication. The test utilized various tools and methodologies, successfully demonstrating the application's susceptibility to common attacks. Recommendations for immediate remediation include improving input validation, authentication mechanisms, and secure configuration management to enhance security.

Uploaded by

Md Emon Sheikh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Lab Report 3: Software Engineering & Network Security

Title: Penetration Testing and Vulnerability Assessment of a Web Application for Common
OWASP Top 10 Flaws

Abstract: This report details a penetration test conducted on a simulated web application to
identify common vulnerabilities as outlined in the OWASP Top 10. The methodology involved
reconnaissance, active scanning using automated tools, and manual exploitation attempts for
flaws such as SQL Injection, Cross-Site Scripting (XSS), Broken Authentication, and Security
Misconfigurations. Several critical and high-severity vulnerabilities were identified,
demonstrating the application's susceptibility to common attacks and highlighting the need for
robust security development practices.

Introduction: Web applications are frequent targets for cyberattacks due to their accessibility
and the sensitive data they often handle. The OWASP Top 10 provides a standard awareness
document for developers and security professionals regarding the most critical web application
security risks. This lab aimed to perform a simulated penetration test on a deliberately vulnerable
web application to identify and exploit these common flaws, thereby understanding their impact
and mitigation strategies.

Methodology:

1. Target Environment: A deliberately vulnerable web application (e.g., OWASP Juice


Shop, WebGoat) deployed locally.
2. Tools:
o Reconnaissance: Nmap (port scanning), DirBuster/Gobuster (directory brute-
forcing).
o Proxy/Interceptor: OWASP ZAP or Burp Suite Community Edition for manual
request manipulation.
o Automated Scanners: OWASP ZAP (active scan) for initial vulnerability
identification.
o Exploitation: SQLMap (for SQL Injection), browser developer tools, custom
scripts.
3. Procedure:
o Information Gathering: Identify open ports, technologies used, accessible
directories.
o Vulnerability Scanning: Run automated scans to find initial weaknesses.
o Manual Testing & Exploitation:
 SQL Injection: Test input fields for SQLi using common payloads.
 XSS: Attempt to inject malicious scripts into various input fields.
 Broken Authentication: Test for weak password policies, session
fixation, or brute-force login.
 Security Misconfiguration: Look for default credentials, exposed
configuration files, or unpatched components.
 Insecure Deserialization/A08 (if applicable): Attempt to exploit
deserialization flaws.
4. Reporting: Document identified vulnerabilities, their severity, proof-of-concept, and
recommendations.

Results:

 SQL Injection (Critical): Identified on the login page, allowing full database access.
Proof-of-concept involved extracting user credentials.
 Reflected XSS (High): Found in the search functionality, allowing arbitrary script
execution in the user's browser.
 Broken Authentication (High): Weak password hashing allowed for easy brute-forcing
of user accounts. Session tokens were not securely handled.
 Security Misconfiguration (Medium): Default admin credentials were active, and
unnecessary services were running.
 Other findings: Cross-Site Request Forgery (CSRF) on a payment form (High), Sensitive
Data Exposure through API endpoints (High).

Discussion: The penetration test successfully identified multiple critical and high-severity
vulnerabilities aligned with the OWASP Top 10, highlighting significant security weaknesses in
the target application. The ease of exploiting SQL Injection and XSS, coupled with the broken
authentication mechanisms, demonstrates how fundamental security flaws can lead to severe data
breaches and system compromise. The findings underscore the importance of secure coding
practices, regular security audits, and adherence to security best practices throughout the
software development lifecycle.

Conclusion: The web application exhibited significant vulnerabilities across multiple OWASP
Top 10 categories. Immediate remediation efforts, including input validation, output encoding,
strong authentication mechanisms, and secure configuration management, are highly
recommended to enhance the application's security posture. This lab provided practical
experience in identifying and reporting web application security flaws.

You might also like