Share
## https://sploitus.com/exploit?id=87801FE3-A28E-54D7-9AF2-D36063AC3C4A
# OWASP Web Application Penetration Testing
> **University of the West of Scotland** | BEng (Hons) Cyber Security | 2024/25
> **Module:** COMP09109 โ Web Application Security Testing
> **Instructor:** Dr. Raman Singh
> **Grades:** Part A โ 45/50 ยท Part B โ 44/50 ยท Combined: 89/100
---
## Overview
This repository documents two penetration testing courseworks covering eight distinct web application attack techniques across three intentionally vulnerable targets. All testing was performed on isolated VirtualBox environments using industry-standard tools.
**Targets:** OWASP Juice Shop ยท OWASP BWA Mutillidae II ยท OWASP Security Shepherd
**Attacker Platform:** Kali Linux (192.168.2.10)
---
## Part B โ Advanced Exploitation (44/50)
| Attack | Target | OWASP Top 10 | Tools |
|--------|--------|--------------|-------|
| [2FA Bypass via SQL Injection](./2FA-Bypass-via-SQL-Injection/) | OWASP Juice Shop | A03: Injection | Burp Suite, SQLi, Google Authenticator |
| [XSS & Session Hijacking](./XSS-and-Session-Hijacking/) | Mutillidae II | A03: XSS | Burp Suite, JavaScript payloads |
| [CSRF Exploitation](./CSRF-Exploitation/) | Security Shepherd | A01: Broken Access Control | Burp Suite, HTML payload crafting |
| [Logging & Monitoring Failures](./Logging-Monitoring-Failures/) | Ubuntu VM | A09: Security Logging Failures | OSSEC HIDS v3.7.0, Apache, Web UI |
## Part A โ Core Vulnerabilities (45/50)
| Attack | Target | OWASP Top 10 | Tools |
|--------|--------|--------------|-------|
| [Broken Access Control](./Broken-Access-Control/) | Mutillidae II | A01: Broken Access Control | Burp Suite, Firefox |
| [Cryptographic Failures](./Cryptographic-Failures/) | Mutillidae II | A02: Cryptographic Failures | Wireshark, HTTP interception |
| [SQL Injection Auth Bypass](./SQL-Injection-Auth-Bypass/) | Mutillidae II | A03: Injection | Burp Suite Repeater, SQLi payloads |
| [Security Misconfiguration](./Security-Misconfiguration/) | Mutillidae II | A05: Security Misconfiguration | Burp Suite Intruder, credential enumeration |
---
## Environment
```
[Kali Linux] 192.168.2.10 โ Attacker (Burp Suite, tools)
[OWASP BWA] 192.168.2.11 โ Mutillidae II target
[OWASP BWA] 192.168.2.12 โ Mutillidae II (Part B)
[Juice Shop] 192.168.2.10:3000 โ Node.js app on Kali
[Sec. Shepherd] 172.20.10.2 โ CSRF challenge platform
```
Network: VirtualBox NAT Network (all VMs isolated)
---
## Tools & Technologies
| Category | Tools |
|----------|-------|
| **Proxy & Interception** | Burp Suite Community Edition v2025.2.4 |
| **Web Targets** | OWASP Juice Shop, Mutillidae II, Security Shepherd |
| **Attack Techniques** | SQLi, Union-Based Injection, XSS (Stored/Reflected), CSRF, 2FA Bypass |
| **Monitoring & Detection** | OSSEC HIDS v3.7.0, Apache2, OSSEC Web UI |
| **Traffic Analysis** | Wireshark, Browser DevTools |
| **Platform** | Kali Linux, VirtualBox, Node.js, PHP/Apache |
---
## OWASP Top 10 Coverage
- **A01** โ Broken Access Control
- **A02** โ Cryptographic Failures
- **A03** โ Injection (SQL Injection, XSS)
- **A05** โ Security Misconfiguration
- **A09** โ Security Logging and Monitoring Failures
---
> All penetration testing was conducted exclusively within authorised VirtualBox lab environments against intentionally vulnerable applications. No real systems or third-party infrastructure were targeted at any point.