Assignment Sample on Web Application and Security
Logbook for week assingments
| Week | Assessment | Reflection |
| Week 3
|
In order to find scoreboard, searching through every file with the use of keyword ‘score’ is the first step. It can be found in the ‘main.js’ file by searching through a code [path: ‘score-board’, component: Wt]. Once the path to scoreboard is known, proper use of URL parameters for finding hidden scoreboard in OWASP needs to be done (owasp.org, 2020). Basic URL used to find out hidden scoreboard is: [http: localhost/#/score-board]
URL to retrieve Bjoern cat photo in melee combat mode is: <img _ ngcontent- akt- c18= “”> class= “image”
|
I have learnt to get into the website with the use of primary codes and to find out the scoreboard in the website. I have received a learning about major use of URL for searching hidden scoreboard and retrieving a photo of Bjoern’s cat in “melee combat mode”.
|
| Week 4
|
The website of OWASP contains confidential data and information regarding potential hostile takeovers. Confidential information can be achieved by finding out the endpoint that provides usage data needs to be scrapped by monitoring systems (Pwning, 2021). Application programming interface endpoint can be accessed with special features enabled to allow access to cross domain. Login admin can be done by looking at the SQL query used in login. | Major skills that have been enhanced by me while learning this study is to get access to confidential documents and to log in with user account of administrator.
|
| Week 5
|
Control over another person’s shopping basket can be done by following steps of sending information to server. Clicking in the “view basket” link needs to be done after logging in to the website and firing up Burp (curiositykillscolby.com, 2021). FoxyProxy needs to be set up by waiting for an object of Javascript Object Notation (JSON). Access to admin section can be done by using the code:
[path: ‘administration’, component: U, canActivate: {Hi}] |
After conducting the week five study I have learnt the method of viewing the shopping basket of other users. I have received a major learning about technique to get access of administration section of store.
|
| Week 6
|
Login Amy can be done in OWASP with the help of inventing a personal kind of padding_pgucy. Padding can be attached in front of the phrase used to login Amy and users can even put some sort of characters at the end or beginning of padding (curiositykillscolby.com, 2021). Exposed metrics can be easily conducted by users with the help of specific endpoints for monitoring systems. Burp and FoxyProxy are major tools used to get into the account of Amy. MS Safesearch can be used to determine password of Amy and get into the account. | I have learnt to use major software such as FoxyProxy and Burp that can be used to get access to another user’s personal account. I can invent my own personal padding which will be used for the purpose of finding endpoints in servers. I can now log in with original user credentials of Amy with the implementation of beneficial software like FoxyProxy.
|
| Week 8
|
Error handling can be done in the OWASP website with the help of technology stack with the use of two versions such as Tomcat and Struts2. Exceptions rendered to the user can be done with the use of code like http: status500 in order to input string. Message given for input string is ‘null’ with a proper description encountered in the server as an internal error (aihalapathirana.medium.com, 2020). Privacy policy of the OWASP website is they collect fewer personal information about users and they do not sell or rent data to any third parties. | I have learnt the privacy policy of OWASP website and its major strategies to secure user data. The website gives high value to data and information of user’s and none of the data is shared with any third parties. I have learnt error handling techniques by using versions like Struts2 and Tomcat.
|
| Week 9
|
DOM based XSS attack can be conducted with the help of invoking a URL at the page such as:
http:// www. some .site/ page.html? default= French It is found that pdf document is served to browser once it is being rendered by Acrobat plugin and it might end up executing fragment part as Javascript. Use of bonus payload can be done by performing a challenge of DOM XSS attack. Pasting of code is done after copying the payload into some vulnerable field (medium.com, 2020). Cranking up the volume of computer is a major factor that is necessary before submission of payload. |
After completion of this week study, I have learnt the use of bonus payload in challenge of DOM XSS. Major findings from the study is a method that can be used to reduce primary vulnerability related to the challenge.
|
| Week 10
|
Functionality of Security Knowledge Framework Chatbot (SKF Bot) can be extended by bringing improvement in creation of desktop version. Better experience to users can be provided by adding basic flow of conversation for example by giving replies to general queries regarding name or age (owasp.org, 2019). Testing of bot can be easily done with the use of @skfchatbot on community of gitter. Capability of SKF bot can be extended by replying to basic requirements of security controls from MASVS and ASVS. | I have learnt the technique of finding chatbot and method of asking to provide some discount. Another learning from the study is to apply bot testing methods with the use of basic tags on community. Abuse of chatbot can be done by me in future with the use of major learnings from the study.
|
| Week 11
|
After opening file of easter egg an obvious string of base64 is there to decode that can be easily spotted since it contains padding as “=”. Online tools like Burp can be used to find out hidden easter eggs on the OWASP website (owasp.org, 2020). | Learnings I have received from this week study is to get access to hidden easter eggs with the implementation of authentic tools. Another technique learnt is to apply advanced cryptanalysis in order to find “Real Easter Egg” |
Table 1: Log Book
(Source: Created by Researcher)
References
aihalapathirana.medium.com, 2020, OWASP Juice Shop — Access ‘Scoreboard’ and ‘Admin section’. Available at: https://aihalapathirana.medium.com/owasp-juice-shop-access-scoreboard-and-admin-section-40590a8ae455 [Accessed on: 21st March, 2021]
bkimminich.gitbooks.io, 2021, Challenge solutions. Available at: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/appendix/solutions.html [Accessed on: 21st March, 2021]
curiositykillscolby.com, 2021, Hacking OWASP’s Juice Shop Pt. 25: Login Amy. Available at: https://curiositykillscolby.com/2020/11/21/pwning-owasps-juice-shop-pt-25-login-amy/ [Accessed on: 21st March, 2021]
medium.com, 2020, OWASP Juice Shop — Login Admin Challenge Solution. Available at: https://medium.com/swlh/owasp-juice-shop-login-admin-challenge-solution-3f18c604f537 [Accessed on: 21st March, 2021]
owasp.org, 2019, GSoC2019 Ideas. Available at: https://owasp.org/www-community/initiatives/gsoc/gsoc2019ideas [Accessed on: 21st March, 2021]
owasp.org, 2020, Privacy Policy. Available at: https://owasp.org/www-policy/operational/privacy#:~:text=We%20keep%20IP%20addresses%20confidential,of%20usage%20in%20certain%20areas. [Accessed on: 21st March, 2021]
Pwning, 2021, Cross Site Scripting. Available at: https://pwning.owasp-juice.shop/part2/xss.html [Accessed on: 21st March, 2021]
Know more about UniqueSubmission’s other writing services:
