CS456 Project 1

OWASP Top 10 Vulnerabilities

Overview

1. You will perform experiments on a vulnerable web site to exploit as many of the top 10
vulnerabilities published by OWASP as you can. You need to find only 5 vulnerabilities
to get the full grade for this project.
2. You may perform this project individually or in teams of 2. I highly encourage you to do
this with a teammate.
3. You will be awarded 20 points for each of the vulnerabilities you can exploit. They must
be from the top 10 list. These web sites have many other vulnerabilities that you can
find, but no points will be awarded for exploiting them.
4. The vulnerable web sites have been around for a long time; consequently, there are
hints and solutions published in various places. You MUST NOT reference these hints
and solutions and you must include an “honor pledge” along with your assignment
stating that you found the answers on your own. On the other hand, you CAN look at
the OWASP web page to examine the links for each vulnerability. These links generally
give some good ideas on how to trigger an exploit.
5. As usual, start early!

OWASP Top 10 Vulnerabilities

What is OWASP?

OWASP stands for the Open Web Application Security Project, an online community that
produces articles, methodologies, documentation, tools, and technologies in the field of web
application security.

What is the OWASP Top 10?

OWASP Top 10 is the list of the 10 most common application vulnerabilities. It also shows their
risks, impacts, and countermeasures. Updated every three to four years, the latest OWASP
vulnerabilities list was just updated in 2021 as you will see when you visit their web page at
https://owasp.org/www-project-top-ten/ . Each vulnerability has a link that gives more
information on what it is and how to create a potential exploit.

Vulnerable web sites

There are several organizations that publish “vulnerable web sites” on the web for you to
experiment with. Typically, you have to either download a VM image and run it in virtualbox.

You may use any or all of these possible web sites. Note: if you have used any of these sites
before, please use a different vulnerable web site that you are unfamiliar with.

1. Damn Vulnerable Web Application (DVWA). http://www.dvwa.co.uk.

2. bWAPP buggy web applications: bee-box is the custom VM.
http://www.itsecgames.com/
3. OWASP Juice Shop: http://www.owasp.org/index.php/OWASP_Juice_Shop_Project can
run in docker and other environments.
4. Other possibilities are “hack this”: https://www.hackthis.co.uk , Google Gruyere
(cheesy web site with lots of holes). https://google-gruyere.appspot.com/start .

What to submit to CANVAS and Grading Rubric

20 points for each vulnerability exploited for a possible total of 100 points.

Your submittal must contain the following:

• Names of the team members

• An “honor pledge” stating that you did NOT look up hints or answers for these
exercises, or if you did see a hint or a clue or a solution while reading documentation,
include a reference to that clue stating that it was inadvertent.
• Executive Summary: a list of the 5 vulnerabilities stating whether your EXPLOIT
succeeded or if you were not able to trigger an exploit.
• For each successful exploit:
o A brief summary of what you did o Screen shots that
give evidence of a successful exploit.