Over the past few weeks, I have learnt more about web application vulnerabilities, how they can be exploited, and how they can be mitigated.
In this project, we delved into web application vulnerabilities. We learnt about how they work, how they can be exploited and how they can be defended against.
We were tasked to do the following:
Over the November-December holiday, we had to self-learn and read up on SQL, HTML and JS. In addition, we had to read Chapters 0-3 of OWASP Testing Guide 4.0 to learn more about web security.
During our attachment, we began by researching about each entry in the OWASP Top 10 list, and took note of the details. Then, to have a better understanding of how each vulnerability can be exploited, we attempted the exercises on WebGoat. When we could not solve the exercises, we tried to search online for the answers (Github), and understand why they worked. Some of the exercises were more challenging, so we sought help from our mentors. After getting a sensing of the difficulty of each vulnerability and meeting with our mentors, we decided to research on vulnerabilities that were less technical, and compiled our findings in the form of a presentation and a report. I decided to research on Broken Access Control (BAC), 5th on the list of 2017 OWASP Top 10.
The final deliverables were as follows:
Due to time constraints, we could not present all the findings we had in the aforementioned presentation. Hence, we consolidated them into a report. In addition, we also noted down our daily tasks in our daily logs, and reflected on the whole attachment experience in the final reflection log.
Through this attachment, we realised that it is very important to appreciate the value of learning, and enjoy the process of it. As people who love learning new things, it was really fulfilling learning about web application vulnerabilities, something which we knew little about beforehand. Although there were some difficulties during the process of understanding concepts that are harder to grasp, when we eventually managed to understand it, the sense of achievement is something which we really treasure. There were also times at which we felt like giving up from having to search up all the technical terms and do further research on them, but it was really our desire to learn that kept us going. In summary, we really enjoyed our attachment at DSTA, and would strongly recommend it to juniors who love learning new things!
The OWASP Foundation. (n.d.). OWASP Top Ten. Retrieved January 27, 2020, from https://owasp.org/www-project-top-ten/
The OWASP Foundation. OWASP Testing Guide 4.0 [PDF file] Retrieved from https://www.owasp.org/images/1/19/OTGv4.pdf
Abela, R. (2017, December 18). OWASP Top 10 for 2017. Retrieved 16 January 2020, from https://www.netsparker.com/blog/web-security/owasp-top-10/.
2017 OWASP A5 Update: Broken Access Control. (2018, April 5). Retrieved 16 January 2020, from https://resources.infosecinstitute.com/2017-owasp-a5-update-broken-access-control/#gref.
API Endpoints - What Are They? Why Do They Matter? (n.d.). Retrieved January 17, 2020, from https://smartbear.com/learn/performance-monitoring/api-endpoints/
Williams, J., & Security, A. (n.d.). Access Control In Your J2EE Application. Retrieved January 18, 2020, from https://wiki.owasp.org/index.php/Access_Control_In_Your_J2EE_Application
OWASP TOP 10: Broken Access Control. (2018, April 27). Retrieved 16 January 2020, from https://blog.detectify.com/2018/04/10/owasp-top-10-broken-access-control/.