Web 102

Date: 2021-12-01

Difficulty: Advanced

Delivered By: Jack Roberts and Joshua Wardle

Overview

Back in Web 101, we looked at basic web security concepts including the use of JavaScript, Inpsect Element and attacks such as insecure session management. As our use of the web continues to grow, the variety of attacks that sites are vulnerable to has also grown.

The Open Web Application Security Project - or OWASP for short - started in 2001. It produces resources in the field of web security, such as guides and methodologies for developers to follow. In 2003, it published the first "OWASP Top Ten", a ranking of (and remediation guidance for) the top 10 most critical web application security risks, as judged by security experts. Since then, there have been six "Top Ten" lists, the most recent of which was released in draft form in August 2021.

image

In this session, we'll explore more complicated web security issues by looking at the OWASP Top Ten from 2013, 2017 and 2021. In particular, we'll look at attacks such as:

  • Cross Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Server-Side Request Forgery (SSRF)
  • Injection (SQL injection, OS command injection, et al.)
  • Broken Authentication and Session Management
  • Information Disclosure
  • Open Redirects
  • Clickjacking

We'll also explore newer attacks (that have only recently become popular) such as Server-Side Request Forgery (SSRF).

Once we've explored these attacks, you'll have the opportunity to practice them by taking on the OWASP Juice Shop! This CTF has over 100 challenges you can tackle, although we'll sign-post you towards a select few of them - or, you can look for challenges in the "Pwning OWASP Juice Shop" book and tackle those you fancy attempting.

For those who require extra assistance, you can tackle the 10 tutorial challenges as listed here, which have built-in guides available to you as part of Juice Shop.

We would encourage people to work in groups on this challenge, as it is more difficult than previous sessions. Regardless of your skill level, you should turn up to this session if you can - you'll learn a lot, regardless if you are able to pull off the attacks we discuss on Juice Shop.

Prerequesites

From Web 101, you will need to remember:

  • HTTP and HTTPS
  • HTML
  • JavaScript, PHP and the difference between client-side and server-side
  • Use of Inspect Element and Burp
  • Encoding and Decoding with Base64

This is our first advanced difficulty session of the year. It will require knowledge of a few areas that we will not have time to cover, such as SQL.

Session Link

You can attempt Web 102 by navigating to https://web102.sucss.org! Please note this will not remain online indefinitely, as it is running on a cloud platform.

The Pwning OWASP Juice Shop book can be found here.