Skip to content

CodeEvent/OWASP-Pentest-Suite

BranchesTags

Repository files navigation

OWASP Web Application Penetration Testing

University of the West of Scotland | BEng (Hons) Cyber Security | 2024/25
Module: COMP09109 — Web Application Security Testing
Instructor: Dr. Raman Singh
Grades: Part A — 45/50 · Part B — 44/50 · Combined: 89/100

Overview

This repository documents two penetration testing courseworks covering eight distinct web application attack techniques across three intentionally vulnerable targets. All testing was performed on isolated VirtualBox environments using industry-standard tools.

Targets: OWASP Juice Shop · OWASP BWA Mutillidae II · OWASP Security Shepherd
Attacker Platform: Kali Linux (192.168.2.10)

Part B — Advanced Exploitation (44/50)

Attack Target OWASP Top 10 Tools
2FA Bypass via SQL Injection OWASP Juice Shop A03: Injection Burp Suite, SQLi, Google Authenticator
XSS & Session Hijacking Mutillidae II A03: XSS Burp Suite, JavaScript payloads
CSRF Exploitation Security Shepherd A01: Broken Access Control Burp Suite, HTML payload crafting
Logging & Monitoring Failures Ubuntu VM A09: Security Logging Failures OSSEC HIDS v3.7.0, Apache, Web UI

Part A — Core Vulnerabilities (45/50)

Attack Target OWASP Top 10 Tools
Broken Access Control Mutillidae II A01: Broken Access Control Burp Suite, Firefox
Cryptographic Failures Mutillidae II A02: Cryptographic Failures Wireshark, HTTP interception
SQL Injection Auth Bypass Mutillidae II A03: Injection Burp Suite Repeater, SQLi payloads
Security Misconfiguration Mutillidae II A05: Security Misconfiguration Burp Suite Intruder, credential enumeration

Environment

[Kali Linux]     192.168.2.10  — Attacker (Burp Suite, tools)
[OWASP BWA]      192.168.2.11  — Mutillidae II target
[OWASP BWA]      192.168.2.12  — Mutillidae II (Part B)
[Juice Shop]     192.168.2.10:3000 — Node.js app on Kali
[Sec. Shepherd]  172.20.10.2   — CSRF challenge platform

Network: VirtualBox NAT Network (all VMs isolated)

Tools & Technologies

Category Tools
Proxy & Interception Burp Suite Community Edition v2025.2.4
Web Targets OWASP Juice Shop, Mutillidae II, Security Shepherd
Attack Techniques SQLi, Union-Based Injection, XSS (Stored/Reflected), CSRF, 2FA Bypass
Monitoring & Detection OSSEC HIDS v3.7.0, Apache2, OSSEC Web UI
Traffic Analysis Wireshark, Browser DevTools
Platform Kali Linux, VirtualBox, Node.js, PHP/Apache

OWASP Top 10 Coverage

  • A01 — Broken Access Control
  • A02 — Cryptographic Failures
  • A03 — Injection (SQL Injection, XSS)
  • A05 — Security Misconfiguration
  • A09 — Security Logging and Monitoring Failures

All penetration testing was conducted exclusively within authorised VirtualBox lab environments against intentionally vulnerable applications. No real systems or third-party infrastructure were targeted at any point.

About

Web application penetration testing — SQLi, XSS, CSRF, 2FA bypass, OSSEC. COMP09109 UWS. Grades: 45/50 + 44/50.

Topics

xss owasp penetration-testing sql-injection csrf web-security ossec uws burp-suite 2fa-bypass

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors