🐝OWASP Top 10

Learn about and exploit each of the vulnerabilities; the 10 most critical web security risks.

Room Attributes

Value

Subscription Required

False [Free]

Type

Walkthrough

Difficulty

Easy

Task 1 Introduction

This room breaks each category in the OWASP Top 10 (2017) project down and includes details on what the vulnerability is, how it occurs and how you can exploit it. You will put the theory into practise by completing supporting challenges.

Injection
Broken Authentication
Sensitive Data Exposure
XML External Entity
Broken Access Control
Security Misconfiguration
Cross-site Scripting
Insecure Deserialization
Components with Known Vulnerabilities
Insufficent Logging & Monitoring

The room has been designed for beginners and assume no previous knowledge of security.

Read the above.

No answer needed

Task 2 Accessing machines

Connect to our network or deploy the AttackBox.

No answer needed

Task 3 [Severity 1] Injection

I've understood Injection attacks.

No answer needed

Task 4 [Severity 1] OS Command Injection

I've understood command injection.

No answer needed

Task 5 [Severity 1] Command Injection Practical

Task 5 - Command Injection Practical

Task 6 [Severity 2] Broken Authentication

I've understood broken authentication mechanisms.

No answer needed

Task 7 [Severity 2] Broken Authentication Practical

Task 7 - Broken Authentication Practical

Task 8 [Severity 3] Sensitive Data Exposure (Introduction)

Read the introduction to Sensitive Data Exposure and deploy the machine.

No answer needed

Task 9 [Severity 3] Sensitive Data Exposure (Supporting Material 1)

Read and understand the supporting material on SQLite Databases.

No answer needed

Task 10 [Severity 3] Sensitive Data Exposure (Supporting Material 2)

Read the supporting material about cracking hashes.

No answer needed

Task 11 [Severity 3] Sensitive Data Exposure (Challenge)

Task 11 - Sensitive Data Exposure (Challenge)

Task 12 [Severity 4] XML External Entity

Deploy the machine attached to the task.

No answer needed

Task 13 [Severity 4] XML External Entity - eXtensible Markup Language

Task 13 - XML External Entity - eXtensible Markup Language

Task 14 [Severity 4] XML External Entity - DTD

Task 14 - XML External Entity - DTD

Task 15 [Severity 4] XML External Entity - XXE Payload

Try the payload mentioned in description on the website.

No answer needed

Task 16 [Severity 4] XML External Entity - Exploiting

Task 16 - XML External Entity - Exploiting

Task 17 [Severity 5] Broken Access Control

Read and understand how broken access control works.

No answer needed

Task 18 [Severity 5] Broken Access Control (IDOR Challenge)

Task 18 - Broken Access Control (IDOR Challenge)

Task 19 [Severity 6] Security Misconfiguration

Task 19 - Security Misconfiguration

Task 20 [Severity 7] Cross-site Scripting

Task 20 - Cross-site Scripting

Task 21 [Severity 8] Insecure Deserialization

Task 21 - Insecure Deserialization

Task 22 [Severity 8] Insecure Deserialization - Objects

Select the correct term of the following statement "if a dog was sleeping", would this be: A) A State, B) A Behaviour

Reveal Flag 🚩

🚩A Behaviour

Task 23 [Severity 8] Insecure Deserialization - Deserialization

What is the name of the base-2 formatting that data is sent across a network as?

Reveal Flag 🚩

🚩Binary

Task 24 [Severity 8] Insecure Deserialization - Cookies

Task 24 - Insecure Deserialization - Cookies

Task 25 [Severity 8] Insecure Deserialization - Cookies Practical

Task 25 - Insecure Deserialization - Cookies Practical

Task 26 [Severity 8] Insecure Deserialization - Code Execution

flag.txt

Reveal Flag 🚩

🚩4a69a7ff9fd68

Task 27 [Severity 9] Components With Known Vulnerabilities - Intro

Read above.

No answer needed

Task 28 [Severity 9] Components With Known Vulnerabilities - Exploit

Read the above!

No answer needed

Task 29 [Severity 9] Components With Known Vulnerabilities - Lab

How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

HINT: You know its a bookstore application, you should check for recent unauthenticated bookstore app rce's.

Reveal Flag 🚩

🚩1611

Task 30 [Severity 10] Insufficient Logging and Monitoring

Task 30 - Insufficient Logging and Monitoring

Task 31 What Next?

Donate to the OWASP Foundation!

Donate to Open Source Security Projects | OWASP Foundationowasp.org

Read the above!

No answer needed

PreviousTask 6 - What is Google Dorking?NextTask 5 - Command Injection Practical

Last updated 3 years ago

hashtagTask 1 Introduction

hashtagRead the above.

hashtagTask 2 Accessing machines

hashtagConnect to our network or deploy the AttackBox.

hashtagTask 3 [Severity 1] Injection

hashtagI've understood Injection attacks.

hashtagTask 4 [Severity 1] OS Command Injection

hashtagI've understood command injection.

hashtagTask 5 [Severity 1] Command Injection Practical

hashtagTask 6 [Severity 2] Broken Authentication

hashtagI've understood broken authentication mechanisms.

hashtagTask 7 [Severity 2] Broken Authentication Practical

hashtagTask 8 [Severity 3] Sensitive Data Exposure (Introduction)

hashtagRead the introduction to Sensitive Data Exposure and deploy the machine.

hashtagTask 9 [Severity 3] Sensitive Data Exposure (Supporting Material 1)

hashtagRead and understand the supporting material on SQLite Databases.

hashtagTask 10 [Severity 3] Sensitive Data Exposure (Supporting Material 2)

hashtagRead the supporting material about cracking hashes.

hashtagTask 11 [Severity 3] Sensitive Data Exposure (Challenge)

hashtagTask 12 [Severity 4] XML External Entity

hashtagDeploy the machine attached to the task.

hashtagTask 13 [Severity 4] XML External Entity - eXtensible Markup Language

hashtagTask 14 [Severity 4] XML External Entity - DTD

hashtagTask 15 [Severity 4] XML External Entity - XXE Payload

hashtagTry the payload mentioned in description on the website.

hashtagTask 16 [Severity 4] XML External Entity - Exploiting

hashtagTask 17 [Severity 5] Broken Access Control

hashtagRead and understand how broken access control works.

hashtagTask 18 [Severity 5] Broken Access Control (IDOR Challenge)

hashtagTask 19 [Severity 6] Security Misconfiguration

hashtagTask 20 [Severity 7] Cross-site Scripting

hashtagTask 21 [Severity 8] Insecure Deserialization

hashtagTask 22 [Severity 8] Insecure Deserialization - Objects

hashtagSelect the correct term of the following statement "if a dog was sleeping", would this be: A) A State, B) A Behaviour

hashtagTask 23 [Severity 8] Insecure Deserialization - Deserialization

hashtagWhat is the name of the base-2 formatting that data is sent across a network as?

hashtagTask 24 [Severity 8] Insecure Deserialization - Cookies

hashtagTask 25 [Severity 8] Insecure Deserialization - Cookies Practical

hashtagTask 26 [Severity 8] Insecure Deserialization - Code Execution

hashtagflag.txt

hashtagTask 27 [Severity 9] Components With Known Vulnerabilities - Intro

hashtagRead above.

hashtagTask 28 [Severity 9] Components With Known Vulnerabilities - Exploit

hashtagRead the above!

hashtagTask 29 [Severity 9] Components With Known Vulnerabilities - Lab

hashtagHow many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

hashtagTask 30 [Severity 10] Insufficient Logging and Monitoring

hashtagTask 31 What Next?

hashtagRead the above!

Task 1 Introduction

Read the above.

Task 2 Accessing machines

Connect to our network or deploy the AttackBox.

Task 3 [Severity 1] Injection

I've understood Injection attacks.

Task 4 [Severity 1] OS Command Injection

I've understood command injection.

Task 5 [Severity 1] Command Injection Practical

Task 6 [Severity 2] Broken Authentication

I've understood broken authentication mechanisms.

Task 7 [Severity 2] Broken Authentication Practical

Task 8 [Severity 3] Sensitive Data Exposure (Introduction)

Read the introduction to Sensitive Data Exposure and deploy the machine.

Task 9 [Severity 3] Sensitive Data Exposure (Supporting Material 1)

Read and understand the supporting material on SQLite Databases.

Task 10 [Severity 3] Sensitive Data Exposure (Supporting Material 2)

Read the supporting material about cracking hashes.

Task 11 [Severity 3] Sensitive Data Exposure (Challenge)

Task 12 [Severity 4] XML External Entity

Deploy the machine attached to the task.

Task 13 [Severity 4] XML External Entity - eXtensible Markup Language

Task 14 [Severity 4] XML External Entity - DTD

Task 15 [Severity 4] XML External Entity - XXE Payload

Try the payload mentioned in description on the website.

Task 16 [Severity 4] XML External Entity - Exploiting

Task 17 [Severity 5] Broken Access Control

Read and understand how broken access control works.

Task 18 [Severity 5] Broken Access Control (IDOR Challenge)

Task 19 [Severity 6] Security Misconfiguration

Task 20 [Severity 7] Cross-site Scripting

Task 21 [Severity 8] Insecure Deserialization

Task 22 [Severity 8] Insecure Deserialization - Objects

Select the correct term of the following statement "if a dog was sleeping", would this be: A) A State, B) A Behaviour

Task 23 [Severity 8] Insecure Deserialization - Deserialization

What is the name of the base-2 formatting that data is sent across a network as?

Task 24 [Severity 8] Insecure Deserialization - Cookies

Task 25 [Severity 8] Insecure Deserialization - Cookies Practical

Task 26 [Severity 8] Insecure Deserialization - Code Execution

flag.txt

Task 27 [Severity 9] Components With Known Vulnerabilities - Intro

Read above.

Task 28 [Severity 9] Components With Known Vulnerabilities - Exploit

Read the above!

Task 29 [Severity 9] Components With Known Vulnerabilities - Lab

How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

Task 30 [Severity 10] Insufficient Logging and Monitoring

Task 31 What Next?

Read the above!