Share
## https://sploitus.com/exploit?id=87801FE3-A28E-54D7-9AF2-D36063AC3C4A
# OWASP Web Application Penetration Testing

> **University of the West of Scotland** | BEng (Hons) Cyber Security | 2024/25  
> **Module:** COMP09109 โ€” Web Application Security Testing  
> **Instructor:** Dr. Raman Singh  
> **Grades:** Part A โ€” 45/50 ยท Part B โ€” 44/50 ยท Combined: 89/100

---

## Overview

This repository documents two penetration testing courseworks covering eight distinct web application attack techniques across three intentionally vulnerable targets. All testing was performed on isolated VirtualBox environments using industry-standard tools.

**Targets:** OWASP Juice Shop ยท OWASP BWA Mutillidae II ยท OWASP Security Shepherd  
**Attacker Platform:** Kali Linux (192.168.2.10)

---

## Part B โ€” Advanced Exploitation (44/50)

| Attack | Target | OWASP Top 10 | Tools |
|--------|--------|--------------|-------|
| [2FA Bypass via SQL Injection](./2FA-Bypass-via-SQL-Injection/) | OWASP Juice Shop | A03: Injection | Burp Suite, SQLi, Google Authenticator |
| [XSS & Session Hijacking](./XSS-and-Session-Hijacking/) | Mutillidae II | A03: XSS | Burp Suite, JavaScript payloads |
| [CSRF Exploitation](./CSRF-Exploitation/) | Security Shepherd | A01: Broken Access Control | Burp Suite, HTML payload crafting |
| [Logging & Monitoring Failures](./Logging-Monitoring-Failures/) | Ubuntu VM | A09: Security Logging Failures | OSSEC HIDS v3.7.0, Apache, Web UI |

## Part A โ€” Core Vulnerabilities (45/50)

| Attack | Target | OWASP Top 10 | Tools |
|--------|--------|--------------|-------|
| [Broken Access Control](./Broken-Access-Control/) | Mutillidae II | A01: Broken Access Control | Burp Suite, Firefox |
| [Cryptographic Failures](./Cryptographic-Failures/) | Mutillidae II | A02: Cryptographic Failures | Wireshark, HTTP interception |
| [SQL Injection Auth Bypass](./SQL-Injection-Auth-Bypass/) | Mutillidae II | A03: Injection | Burp Suite Repeater, SQLi payloads |
| [Security Misconfiguration](./Security-Misconfiguration/) | Mutillidae II | A05: Security Misconfiguration | Burp Suite Intruder, credential enumeration |

---

## Environment

```
[Kali Linux]     192.168.2.10  โ€” Attacker (Burp Suite, tools)
[OWASP BWA]      192.168.2.11  โ€” Mutillidae II target
[OWASP BWA]      192.168.2.12  โ€” Mutillidae II (Part B)
[Juice Shop]     192.168.2.10:3000 โ€” Node.js app on Kali
[Sec. Shepherd]  172.20.10.2   โ€” CSRF challenge platform
```

Network: VirtualBox NAT Network (all VMs isolated)

---

## Tools & Technologies

| Category | Tools |
|----------|-------|
| **Proxy & Interception** | Burp Suite Community Edition v2025.2.4 |
| **Web Targets** | OWASP Juice Shop, Mutillidae II, Security Shepherd |
| **Attack Techniques** | SQLi, Union-Based Injection, XSS (Stored/Reflected), CSRF, 2FA Bypass |
| **Monitoring & Detection** | OSSEC HIDS v3.7.0, Apache2, OSSEC Web UI |
| **Traffic Analysis** | Wireshark, Browser DevTools |
| **Platform** | Kali Linux, VirtualBox, Node.js, PHP/Apache |

---

## OWASP Top 10 Coverage

- **A01** โ€” Broken Access Control
- **A02** โ€” Cryptographic Failures
- **A03** โ€” Injection (SQL Injection, XSS)
- **A05** โ€” Security Misconfiguration
- **A09** โ€” Security Logging and Monitoring Failures

---

> All penetration testing was conducted exclusively within authorised VirtualBox lab environments against intentionally vulnerable applications. No real systems or third-party infrastructure were targeted at any point.