Practical, hands-on labs for every OWASP Top 10 (2021) vulnerability β with exploitation steps, detection logic, and remediation code.
Built by Adarsh Singh | GitHub: @SecurityWithAdarsh
This repository contains 10 structured lab modules, one per OWASP Top 10 (2021) vulnerability category. Each lab includes:
- π Concept β What the vulnerability is and why it exists
- π§ͺ Lab Setup β Environment, prerequisites, target application
- βοΈ Attack Walkthrough β Step-by-step exploitation with commands
- π Detection β Log patterns, Burp Suite tips, SIEM queries
- π‘οΈ Remediation β Secure code snippets and hardening guidance
- πΊοΈ MITRE ATT&CK Mapping β Mapped to relevant techniques
All labs use legal, intentionally vulnerable applications (DVWA, OWASP WebGoat, OWASP Juice Shop, HackTheBox).
OWASP-Top10-Labs/
βββ labs/
β βββ A01-Broken-Access-Control/
β βββ A02-Cryptographic-Failures/
β βββ A03-Injection/
β βββ A04-Insecure-Design/
β βββ A05-Security-Misconfiguration/
β βββ A06-Vulnerable-Components/
β βββ A07-Identification-Authentication-Failures/
β βββ A08-Software-Data-Integrity-Failures/
β βββ A09-Security-Logging-Monitoring-Failures/
β βββ A10-SSRF/
βββ dvwa-labs/ # DVWA-specific walkthroughs
βββ tools/ # Helper scripts (Python, Bash)
βββ checklists/ # Quick pentest checklists per category
βββ reports/ # Sample pentest report templates
βββ README.md
| # | OWASP ID | Vulnerability | Platform | Difficulty | Status |
|---|---|---|---|---|---|
| 1 | A01:2021 | Broken Access Control | DVWA + WebGoat | π’ Beginner | β Complete |
| 2 | A02:2021 | Cryptographic Failures | DVWA + Custom | π‘ Intermediate | β Complete |
| 3 | A03:2021 | Injection (SQLi + XSS + CMDi) | DVWA + SQLMap | π’ Beginner | β Complete |
| 4 | A04:2021 | Insecure Design | Juice Shop | π‘ Intermediate | β Complete |
| 5 | A05:2021 | Security Misconfiguration | Custom + Nikto | π’ Beginner | β Complete |
| 6 | A06:2021 | Vulnerable & Outdated Components | Custom + CVE | π‘ Intermediate | β Complete |
| 7 | A07:2021 | Identification & Auth Failures | DVWA + Burp | π’ Beginner | β Complete |
| 8 | A08:2021 | Software & Data Integrity Failures | Custom + JWT | π΄ Advanced | β Complete |
| 9 | A09:2021 | Security Logging & Monitoring Failures | Splunk + DVWA | π‘ Intermediate | β Complete |
| 10 | A10:2021 | Server-Side Request Forgery (SSRF) | WebGoat + Custom | π΄ Advanced | β Complete |
# Using Docker (easiest)
docker pull vulnerables/web-dvwa
docker run -d -p 80:80 vulnerables/web-dvwa
# Access at http://localhost/
# Default credentials: admin / password
# Set Security Level: Low (start), Medium, High as you progressdocker pull bkimminich/juice-shop
docker run -d -p 3000:3000 bkimminich/juice-shop
# Access at http://localhost:3000docker pull webgoat/webgoat
docker run -d -p 8080:8080 -p 9090:9090 webgoat/webgoat
# Access at http://localhost:8080/WebGoat# Burp Suite Community Edition
https://portswigger.net/burp/communitydownload
# SQLMap
pip install sqlmap
# or: sudo apt install sqlmap
# FFUF (Fuzzer)
go install github.com/ffuf/ffuf/v2@latest
# or: sudo apt install ffuf
# Nikto
sudo apt install nikto
# Python 3 (for helper scripts)
sudo apt install python3 python3-pip- Start with A03 (Injection) β Most visible, builds confidence
- Follow the order A01 β A10 for structured learning
- Each lab has Low / Medium / High difficulty progressions (DVWA security levels)
- Complete the detection section β This is what makes you stand out in SOC/AppSec interviews
- Read the remediation code β Understand what secure looks like
| Tool | Purpose | Labs |
|---|---|---|
| Burp Suite Community | HTTP interception, fuzzing, repeater | A01, A02, A07, A08, A10 |
| SQLMap | Automated SQL injection | A03 |
| FFUF | Directory/path fuzzing | A01, A05 |
| Nikto | Web server misconfiguration scan | A05 |
| jwt.io | JWT token analysis | A08 |
| CyberChef | Decoding, hashing, crypto analysis | A02 |
| Python (requests) | Custom exploit scripts | A03, A10 |
| Splunk (free tier) | Log analysis & detection | A09 |
| OWASP ID | ATT&CK Technique | Tactic |
|---|---|---|
| A01 | T1548 β Abuse Elevation Control Mechanism | Privilege Escalation |
| A02 | T1552 β Unsecured Credentials | Credential Access |
| A03 | T1190 β Exploit Public-Facing Application | Initial Access |
| A04 | T1068 β Exploitation for Privilege Escalation | Privilege Escalation |
| A05 | T1592 β Gather Victim Host Information | Reconnaissance |
| A06 | T1190 β Exploit Public-Facing Application | Initial Access |
| A07 | T1110 β Brute Force | Credential Access |
| A08 | T1195 β Supply Chain Compromise | Initial Access |
| A09 | T1562 β Impair Defenses | Defense Evasion |
| A10 | T1090 β Proxy | Command & Control |
A professional pentest report template (based on real-world format) is in /reports/OWASP-Pentest-Report-Template.md.
Beginner Path:
A03 (SQLi) β A07 (Auth) β A01 (Access Control) β A05 (Misconfig)
Intermediate Path:
A02 (Crypto) β A04 (Design) β A06 (Components) β A09 (Logging)
Advanced Path:
A08 (Integrity / JWT) β A10 (SSRF)
- OWASP Top 10 Official (2021)
- DVWA GitHub
- PortSwigger Web Security Academy
- TryHackMe β OWASP Top 10 Room
- HackTheBox β Web Challenges
Adarsh Singh β DevSecOps Engineer | AppSec | OT/ICS Security
- π LinkedIn
- π GitHub
- π― TryHackMe: Top 5% Global
- π§ Open to SOC Analyst, Penetration Testing, and AppSec opportunities
All labs in this repository use intentionally vulnerable, legal practice platforms (DVWA, WebGoat, Juice Shop, HackTheBox). Never perform these techniques on systems you do not own or have explicit written permission to test. Unauthorized testing is illegal.
β Star this repo if it helped you β and connect on LinkedIn!