COURSE NAME:

WEB
APPLICATION
SECURITY
011 ELEMENT LOGBOOK - MOD006363

SID: 2223494

Anglia Ruskin UniversityDated: April 21, 2023

Table of Contents
Week 1: ...............................................................................................................................................3
Overview of OWASP 2017 Top 10 .....................................................................................................3
Weekly Reflections .............................................................................................................................3
Week 2 ................................................................................................................................................4
Hacker Test HTML Labs 1-10 ...............................................................................................................4
Weekly Reflections ...........................................................................................................................22
Week 3 ..............................................................................................................................................23
Finding the Score-board: ...................................................................................................................23
Missing Encoding: ..............................................................................................................................25
Zero Star Challenge: ...........................................................................................................................27
Weekly Reflections: ..........................................................................................................................29
Week 4 ..............................................................................................................................................29
Confidential Document: .....................................................................................................................29
Login Admin: ......................................................................................................................................33
Weekly Reflections: ..........................................................................................................................34
Week 5 ..............................................................................................................................................34
View Basket:.......................................................................................................................................34
Admin Section ....................................................................................................................................37
Weekly Reflections ...........................................................................................................................38
Week 6 ..............................................................................................................................................39
Exposed Metrics.................................................................................................................................39
Login Amy ..........................................................................................................................................40
Weekly Reflections ...........................................................................................................................42
Week 8 ..............................................................................................................................................43
Error Handling ....................................................................................................................................43
Weekly Reflections ...........................................................................................................................44
Week 9 ..............................................................................................................................................44
DOM XSS ............................................................................................................................................44
Bonus Payload....................................................................................................................................46
Weekly Reflections ...........................................................................................................................47
Week 10............................................................................................................................................47
Chatbot Abuse ...................................................................................................................................47
Weekly Reflections ...........................................................................................................................48
Week 11............................................................................................................................................49
Easter Egg...........................................................................................................................................49

1|Page
 Nested Easter Egg ..............................................................................................................................51
Weekly Reflections.........................................................................................................................52
Literature Review ...................................................................................................................................53

2|Page
Week 1:

Overview of OWASP 2017 Top 10

The overview of OWAS 2017 top 10 security vulnerabilities (OWASP, 2017 [1]) is as
follows:

Title Brief
A1: Injection It exists when attacker can insert unauthorized and
malicious data into an application through any input field.
Input of SQL query through a login form (email/ password)
can give unauthorized access to attacker.

A2: Broken It exists when the attacker can bypass authentication or

Authentication session management system to gain unauthorized access to
a system.
A3: Sensitive Data It exists when organizations fail to securely store and
Exposure protect sensitive data like passwords and credit card
numbers owing to lack to proper encryption or outdated
mechanisms.
A4: XML External It exists when an attacker can exploit weaknesses in an
Entities (XXE) application’s XML parsers and upload malicious content.
A5: Broken Access It exists when applications fail to enforce secure access
Control control and attacker can gain elevated access privileges.
A6: Security It exists when a system is not configured securely, and some
Misconfiguration unpatched weaknesses (unprotected files, default accounts)
can be exploited by an attacker.
A7: Cross-Site It exists when an attacker can inject malicious code into an
Scripting (XSS) application through an input field and execute it in user’s
browser to steal user data or hijack their session.
A8: Insecure It exists when an attacker can modify application logic by
Deserialization gaining access of improperly serialized data.
A9: Using It exists when an application is using outdated, redundant
Components with software or components that are easier to exploit.
Known
Vulnerabilities
A10: Insufficient It exists when an application doesn’t keep adequate and
Logging & timely log of security events allowing attackers to gain
Monitoring access to systems without detection.

Weekly Reflections

• Understood about the basics of the underlying infrastructure beneath web

applications and overviewed OWASP top 10 vulnerabilities [1].
• Learnt about the term Penetration Testers – similar to Ethical hackers and
glanced through the Computer Misuse Act 1990 page (legislation.gov.uk, 1990
[2]).

3|Page
 • Understood how to login to Netlab – the remote working server for practical
sessions.

Week 2

Hacker Test HTML Labs 1-10

We accessed Hackertest, an online hacking simulation website filled with hacking

challenges (www.hackertest.net, n.d. [3]). We completed 10 levels. Following are the
screenshots for the same:

Level 1:

Level 1 Main Page

Step 1: Simply check the source code of the page and identify the relevant code. As we’ve
seen the “try again” message on entering the wrong password, the relevant code is
somewhere near it.

4|Page
 Level 1 Source Code

Step 2: Enter the password, log in and it works!

Level 1: Enter the password.

Level 2:

Step 1: The moment we’re on to Level 2, we get an alert box to enter a password. Click
“OK” or “Cancel” to access the Level 2 page.

5|Page
 Level 2: Alert box

Level 2 Main Page

Step 2: Access the source code and identify the relevant code. Straightforward code with
variable “pass” helps.

6|Page
 Level 2: Source Code

Step 3: Go back to the page, enter the password, and move to the next level!

Level 2: Enter the password.

7|Page
Level 3:

Level 3: Main Page with Alert box

Step 1: Go to the source code!

Level 3: Source Code

Step 2: The password variable “pw = window.document.alinkColor” indicates the

password is the “alink” value of the window and “alink=#000000” gives us the
required value.

Step 3: Go back, enter the password and we’re through.

8|Page
 Level 3: Enter the password.

Level 4 / Level 5:

Level 4: Main Page

Step 1: Level 4 is simply a pathway to Level 5. But we cannot access the level 5 page
directly. Clicking on “Click here” results in an alert box which if not entered with the
correct password, just sends you back to this page.

9|Page
 Level 5: Entrance

Step 2: Check source code of Level 4 page and download the “sdrawkcab.html” file.

Level 5: Source Code

Step 3: Access it in a code editor and identify the password.

10 | P a g e
 Level 5: Source Code

Step 4: Go back to the page, enter the password and you’re through.

Level 5: Enter Password

11 | P a g e
Level 6:

Level 6: Main Page

Step 1: Go to the source code!

Level 6: Source Code

Step 2: Everything else seems ordinary. The only clue is the js file. Click it!

Step 3: Locate the password within the javascript file.

12 | P a g e
 Psswd.js File

Step 4: Enter the password and you’re through!

Level 6: Enter Password

Level 7

Level 7: Main Page

13 | P a g e
Step 1: Go to the source code.

Level 7: Source Code

Step 2:

Included.gif file

14 | P a g e
Step 3:

Level 7: Enter Password

Level 8

15 | P a g e
Step 1:

Level 8: Source Code

Phat.php File

Step 2: Check source code of phat.php

Phat.php Source Code

16 | P a g e
Step 3:

Step 4: Download the file and open it using PhotoShop or any online alternative.

17 | P a g e
Step 5:

Step 6:

18 | P a g e
Step 7:

Level 8: Enter Password

Level 9

Level 9: Main Page

Step 1: Check the source code.

19 | P a g e
Step 2:

Step 3:

20 | P a g e
Step 4:

Step 5:

Level 10

21 | P a g e
Step 1:

Step 2: Enter password!

Weekly Reflections

• Had a nice recap of HTML and JavaScript through Hackertest challenges.

• Learnt about some new concepts in class - Web Spidering, Application Mapping
and Banner Grabbing (Borges, 2021 [6]).

22 | P a g e
 • Looked deeper into OSINT tools (Kadar, n.d. [4]). Found them quite fascinating
(and depressing considered “HaveIBeenPwned” (haveibeenpwned.com, n.d. [5])
just let me know that my mail address was a part of 36 data breaches that
included leaking of my address through a Domino’s data leak).

Week 3

Finding the Score-board:

Juice Shop Home Page

23 | P a g e
Step 1: Go to the developer tools -> Inspector -> main-es2018.js file and look for “score”
there.

Relevant Code

Step 2: Entering the URL will take you to the score-board.

Success!

24 | P a g e
Missing Encoding:
Step 1: Click on the sidebar options on the left and select “Photo Wall”.

Step 2:

25 | P a g e
 Relevant Code

Step 3: Look for encoding of “#”

W3Schools HTML Encoding Table (www.w3schools.com, n.d.) [10]

Step 4: Replace “#” with correct encoding “%23”

Step 5: Refresh the page and you’ll see the photo!

Success!

26 | P a g e
Zero Star Challenge:

Step 1:

Step 2:

27 | P a g e
Step 3:

Rating changed to 0

28 | P a g e
 Success

Weekly Reflections:

• Importance of encoding properly while working with HTML.

• Learnt intercepting using Burp Suite.
• Learnt about Injection attacks (OWASP, 2017 [7]) in lecture and looked into
Query Parameterization (SQL-Server-Team, 2019 [8]) as a way to mitigate SQL
Injections.
• Discovered the Secure Coding Checklist (OWASP, n.d. [9]), quite a helpful guide to
keep for future reference.

Week 4

Confidential Document:
Step 1:

29 | P a g e
Step 2:

Step 3: Open the file!

30 | P a g e
Step 4: This doesn’t seem to be the confidential file but now we know where all the files
are stored. Go to the ftp folder again!

Step 5:

31 | P a g e
Step 6:

Success!

32 | P a g e
Login Admin:
A common authentication bypass method is the following:

ARU Curriculum PPT

Step 1: Go to the login page and try it out.

33 | P a g e
 Success!

Weekly Reflections:

• Studied about Broken Authentication Vulnerability (OWASP, 2017 [11])

• Learnt about concept of Hashing, Salting and common hashing functions MD5
and SHA-3
• Looked into threat Credential Stuffing – brute forcing of large amounts of leaked
credentials (Mueller, 2023 [12]) – realised importance of rate limit and MFA to
avoid it.
• Learnt about Sessions and Session Fixation attacks (OWASP, n.d. [13])

Week 5

View Basket:

Step 1:

34 | P a g e
Step 2: Open Developer Tools → Storage → Session Storage and check value of “bid”.

35 | P a g e
Step 3:

Bid value changed to 9.

Success!

36 | P a g e
Admin Section

Step 1:

Step 2:

37 | P a g e
Step 3:

Step 4: Visit the path “localhost:3000/#/administration”

Success!

Weekly Reflections

• Implemented SQL Injection practically.

• Studied about Broken Access Control (OWASP, 2017 [14]) vulnerability in lecture.
• Understood the concept of Least Privilege Access – allowing minimal access to a
functionality for minimum amount of time (Ma et al., 2011 [15]).

38 | P a g e
 • Learnt about CIA model – the fundamental elements of development of security
controls (Fenrich, 2008 [16]).

Week 6

Exposed Metrics

Step 1:

Step 2:

39 | P a g e
Step 3: Go to “localhost:3000/metrics”

Success!

Login Amy

Step 1: Go to the website (Grc.com, 2011 [17]) linked in challenge. The following parts
are relevant:

The important note she didn’t read:

40 | P a g e
Step 2: Search for Amy’s boyfriend’s name!

Step 3: Try out the concept with “K1f”. Keep padding it with dots and it’ll eventually
work!

41 | P a g e
 That's 22 dots btw!

Weekly Reflections

• Learnt about Sensitive Data Exposure (OWASP, 2017 [18]) and the multiple laws
governing handling of sensitive data – DPA (1998), GDPR (2018) & PCIDSS
(2022, most recent version).
• Learnt about several Reconnaissance Tools – used to discover and collect
information about a target system. Tried out SecurityHeaders (Helme, n.d. [19])
to gain information about HTTP headers used in a website. OSINT Resources
Portal (osint.link, 2018 [20]) is a helpful go-to website for such tools.

42 | P a g e
Week 8

Error Handling
This challenge was solved during the View Basket challenge!

Privacy Policy

Step 1:

43 | P a g e
 Success!

Weekly Reflections

• Last week, we covered Security Management. Learnt about ISO-27001 – the

global standard for information security compliance. It is compulsory to
implement ISMS (Information Security Management System) to achieve this
certification. (Kosutic, n.d. [21])
• This week, we learnt about Security Misconfiguration vulnerability (OWASP,
2017 [22]), importance of error handling and buffer overflow attack.

Week 9

DOM XSS

Step 1:

44 | P a g e
Step 2:

And press enter, of course!

Success!

Here’s the code we injected in the page:

45 | P a g e
Bonus Payload

Step 1:

Step 2:

The injected code in the page:

46 | P a g e
Weekly Reflections

• Performed practical implementation of XSS attack.

• Covered XSS Vulnerability in detail this week – it’s three types, mitigation using
CSE and CSP (OWASP, 2017 [23]).
• Learnt about an interesting pen testing tool focused on web browser exploits –
BeEF. (beefproject.com, n.d. [24]).

Week 10

Chatbot Abuse

Step 1:

47 | P a g e
Step 2:

Step 3:

Weekly Reflections

• Covered the remaining four vulnerabilities this week.

• Ensuring use of vulnerability databases like CVE, CWE and NVD is essential as we
use components with known vulnerabilities (OWASP, 2017 [25]).
• Using Security Information and Event Management systems will help us to
properly log and monitor important security events (Bhatt, Manadhata and
Zomlot, 2014 [26]).
• Implemented brute force technique to manipulate a chatbot. Use of AI Chatbots
and cloud based chatbots can offer much better security and reliability.

48 | P a g e
Week 11

Easter Egg
Step 1:

Step 2: The Poison Null Byte Injection method (thehacker.recipes, 2023 [27]) will help
us break the sanity check filters and access the file. “%00” is the null byte. To input it in a
HTML link, encode % as “%25” hence “%2500” is used.

49 | P a g e
Step 3:

50 | P a g e
 Easter Egg Challenge Completed!

Nested Easter Egg

Step 1:

Step 2:

51 | P a g e
Step 3:

Final Success!

Weekly Reflections

• Poison Null Byte injection – Using a null byte to send data that would be filtered
otherwise [27] - and used it in lab to complete the challenge.
• ROT 13 Encoding – Substitution encoding replacing each alphabet with an
alphabet 13 places ahead of it. Used ROT13 decoder to solve the last challenge.
• Covered Threat Modelling in lecture. SAMM is an open framework to implement
a security strategy. (OWASP, n.d. [28])
• STRIDE, DREAD, PASTA are established threat modelling methodologies.

52 | P a g e
Literature Review

[1] OWASP. (2017). 2017 Top 10 | OWASP. [online] Available at:

https://owasp.org/www-project-top-ten/2017/Top_10. [Accessed: 31 January 2023]

[2] legislation.gov.uk (1990). Computer Misuse Act 1990. [online] Legislation.gov.uk.

Available at: https://www.legislation.gov.uk/ukpga/1990/18/contents. [Accessed: 31
January 2023]

[3] www.hackertest.net. (n.d.). Hacker Test: A site to test and learn about web hacking.
[online] Available at: https://www.hackertest.net. [Accessed: 31 January 2023]

[4] Kadar, T. (n.d.). Top 10 OSINT (Open Source Intelligence) Software Tools 2023.
[online] Available at: https://seon.io/resources/comparisons/osint-software-tools/
[Accessed: 13 Mar. 2023].

[5] haveibeenpwned.com. (n.d.). Have I Been Pwned: Check if your email has been
compromised in a data breach. [online] Available at: https://haveibeenpwned.com.
[Accessed: 13 Mar. 2023]

[6] Borges, E. (2021). SecurityTrails | Banner Grabbing: Top Tools and Techniques
Explained. [online] securitytrails.com. Available at:
https://securitytrails.com/blog/banner-grabbing. [Accessed: 13 Mar. 2023]

[7] OWASP. (2017). A1:2017-Injection | OWASP. [online] Available at:

https://owasp.org/www-project-top-ten/2017/A1_2017-Injection. [Accessed: 13 Mar.
2023]

[8] SQL-Server-Team. (2019). How and Why to Use Parameterized Queries. [online]
Available at: https://techcommunity.microsoft.com/t5/sql-server-blog/how-and-why-
to-use-parameterized-queries/ba-p/383483. [Accessed: 13 Mar. 2023]

[9] OWASP. (n.d.). OWASP Secure Coding Practices-Quick Reference Guide. [online]
Available at: https://owasp.org/www-project-secure-coding-practices-quick-reference-
guide/. [Accessed: 13 Mar. 2023]

[10] www.w3schools.com. (n.d.). HTML URL Encoding Reference. [online] Available at:
https://www.w3schools.com/tags/ref_urlencode.ASP. [Accessed: 13 Mar. 2023]

53 | P a g e
[11] OWASP. (2017). A2:2017-Broken Authentication | OWASP. [online] Available at:
https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication.
[Accessed: 13 Mar. 2023]

[12] Mueller, N. (2023). Credential stuffing Software Attack | OWASP Foundation.

[online] OWASP. Available at: https://owasp.org/www-
community/attacks/Credential_stuffing. [Accessed: 13 Mar. 2023]

[13] OWASP. (n.d.). Session fixation | OWASP. [online] Available at:

https://owasp.org/www-community/attacks/Session_fixation. [Accessed: 13 Mar.
2023]

[14] OWASP. (2017). A5:2017-Broken Access Control | OWASP. [online] Available at:
https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.
[Accessed: 13 Mar. 2023]

[15] Ma, X., Li, R., Lu, Z., Lu, J. and Dong, M. (2011). Specifying and enforcing the
principle of least privilege in role-based access control. Concurrency and Computation:
Practice and Experience, 23(12), pp.1313–1331. doi:https://doi.org/10.1002/cpe.1731.

[16] Fenrich, K., 2008. Securing your control system: the "CIA triad" is a widely used
benchmark for evaluating information system security effectiveness. Power
Engineering, 112(2), pp.44-49.

[17] Grc.com. (2011). GRC’s | Password Haystacks: How Well Hidden is Your
Needle? [online] Available at: https://www.grc.com/haystack.htm. [Accessed: 6 April
2023]

[18] OWASP (2017). A3:2017-Sensitive Data Exposure | OWASP. [online] OWASP.

Available at: https://owasp.org/www-project-top-ten/2017/A3_2017-
Sensitive_Data_Exposure. [Accessed: 6 April 2023]

[19] Helme, S. (n.d.). Analyse your HTTP response headers. [online] securityheaders.com.
Available at: https://securityheaders.com. [Accessed: 6 April 2023]

[20] osint.link. (2018). Open Source Intelligence (OSINT) Tools & Resources. [online]
Available at: https://osint.link. [Accessed: 6 April 2023]

54 | P a g e
[21] Kosutic, D. (n.d.). What is ISO 27001? [online] 27001Academy. Available at:
https://advisera.com/27001academy/what-is-iso-27001/. [Accessed: 6 April 2023]

[22] OWASP. (2017). A6:2017-Security Misconfiguration | OWASP. [online] Available at:

https://owasp.org/www-project-top-ten/2017/A6_2017-
Security_Misconfiguration.html. [Accessed: 6 April 2023]

[23] OWASP. (2017). A7:2017-Cross-Site Scripting (XSS) | OWASP. [online] Available at:
https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-
Site_Scripting_(XSS).html. [Accessed: 6 April 2023]

[24] beefproject.com. (n.d.). BeEF - The Browser Exploitation Framework Project.

[online] Available at: https://beefproject.com. [Accessed: 6 April 2023]

[25] OWASP. (2017). A9:2017-Using Components with Known Vulnerabilities | OWASP.

[online] Available at: https://owasp.org/www-project-top-ten/2017/A9_2017-
Using_Components_with_Known_Vulnerabilities.html. [Accessed: 6 April 2023]

[26] Bhatt, S., Manadhata, P.K. and Zomlot, L. (2014). The Operational Role of Security
Information and Event Management Systems. IEEE Security & Privacy, 12(5), pp.35–41.
doi:https://doi.org/10.1109/msp.2014.103.

[27] thehacker.recipes. (2023). 🛠️ Null-byte injection - The Hacker Recipes. [online]

Available at: https://www.thehacker.recipes/web/inputs/null-byte-injection [Accessed
20 Apr. 2023].

[28] OWASP. (n.d.). OWASP SAMM. [online] Available at: https://owasp.org/www-

project-samm/.

55 | P a g e