Skip to content

SecurityWithAdarsh/OWASP-Top10-Labs

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

1 Commit
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ” OWASP Top 10 Labs β€” Hands-On Web Application Security

Practical, hands-on labs for every OWASP Top 10 (2021) vulnerability β€” with exploitation steps, detection logic, and remediation code.

Built by Adarsh Singh | GitHub: @SecurityWithAdarsh


πŸ“Œ What Is This Repo?

This repository contains 10 structured lab modules, one per OWASP Top 10 (2021) vulnerability category. Each lab includes:

  • πŸ“– Concept β€” What the vulnerability is and why it exists
  • πŸ§ͺ Lab Setup β€” Environment, prerequisites, target application
  • βš”οΈ Attack Walkthrough β€” Step-by-step exploitation with commands
  • πŸ” Detection β€” Log patterns, Burp Suite tips, SIEM queries
  • πŸ›‘οΈ Remediation β€” Secure code snippets and hardening guidance
  • πŸ—ΊοΈ MITRE ATT&CK Mapping β€” Mapped to relevant techniques

All labs use legal, intentionally vulnerable applications (DVWA, OWASP WebGoat, OWASP Juice Shop, HackTheBox).


πŸ—‚οΈ Repository Structure

OWASP-Top10-Labs/
β”œβ”€β”€ labs/
β”‚   β”œβ”€β”€ A01-Broken-Access-Control/
β”‚   β”œβ”€β”€ A02-Cryptographic-Failures/
β”‚   β”œβ”€β”€ A03-Injection/
β”‚   β”œβ”€β”€ A04-Insecure-Design/
β”‚   β”œβ”€β”€ A05-Security-Misconfiguration/
β”‚   β”œβ”€β”€ A06-Vulnerable-Components/
β”‚   β”œβ”€β”€ A07-Identification-Authentication-Failures/
β”‚   β”œβ”€β”€ A08-Software-Data-Integrity-Failures/
β”‚   β”œβ”€β”€ A09-Security-Logging-Monitoring-Failures/
β”‚   └── A10-SSRF/
β”œβ”€β”€ dvwa-labs/              # DVWA-specific walkthroughs
β”œβ”€β”€ tools/                  # Helper scripts (Python, Bash)
β”œβ”€β”€ checklists/             # Quick pentest checklists per category
β”œβ”€β”€ reports/                # Sample pentest report templates
└── README.md

πŸ“‹ Lab Index

# OWASP ID Vulnerability Platform Difficulty Status
1 A01:2021 Broken Access Control DVWA + WebGoat 🟒 Beginner βœ… Complete
2 A02:2021 Cryptographic Failures DVWA + Custom 🟑 Intermediate βœ… Complete
3 A03:2021 Injection (SQLi + XSS + CMDi) DVWA + SQLMap 🟒 Beginner βœ… Complete
4 A04:2021 Insecure Design Juice Shop 🟑 Intermediate βœ… Complete
5 A05:2021 Security Misconfiguration Custom + Nikto 🟒 Beginner βœ… Complete
6 A06:2021 Vulnerable & Outdated Components Custom + CVE 🟑 Intermediate βœ… Complete
7 A07:2021 Identification & Auth Failures DVWA + Burp 🟒 Beginner βœ… Complete
8 A08:2021 Software & Data Integrity Failures Custom + JWT πŸ”΄ Advanced βœ… Complete
9 A09:2021 Security Logging & Monitoring Failures Splunk + DVWA 🟑 Intermediate βœ… Complete
10 A10:2021 Server-Side Request Forgery (SSRF) WebGoat + Custom πŸ”΄ Advanced βœ… Complete

πŸ› οΈ Lab Environment Setup

Option 1: DVWA (Recommended for A01, A02, A03, A07)

# Using Docker (easiest)
docker pull vulnerables/web-dvwa
docker run -d -p 80:80 vulnerables/web-dvwa

# Access at http://localhost/
# Default credentials: admin / password
# Set Security Level: Low (start), Medium, High as you progress

Option 2: OWASP Juice Shop (A04, A05)

docker pull bkimminich/juice-shop
docker run -d -p 3000:3000 bkimminich/juice-shop
# Access at http://localhost:3000

Option 3: OWASP WebGoat (A01, A08, A10)

docker pull webgoat/webgoat
docker run -d -p 8080:8080 -p 9090:9090 webgoat/webgoat
# Access at http://localhost:8080/WebGoat

Required Tools

# Burp Suite Community Edition
https://portswigger.net/burp/communitydownload

# SQLMap
pip install sqlmap
# or: sudo apt install sqlmap

# FFUF (Fuzzer)
go install github.com/ffuf/ffuf/v2@latest
# or: sudo apt install ffuf

# Nikto
sudo apt install nikto

# Python 3 (for helper scripts)
sudo apt install python3 python3-pip

🎯 How to Use These Labs

  1. Start with A03 (Injection) β€” Most visible, builds confidence
  2. Follow the order A01 β†’ A10 for structured learning
  3. Each lab has Low / Medium / High difficulty progressions (DVWA security levels)
  4. Complete the detection section β€” This is what makes you stand out in SOC/AppSec interviews
  5. Read the remediation code β€” Understand what secure looks like

🧰 Tools Used Across Labs

Tool Purpose Labs
Burp Suite Community HTTP interception, fuzzing, repeater A01, A02, A07, A08, A10
SQLMap Automated SQL injection A03
FFUF Directory/path fuzzing A01, A05
Nikto Web server misconfiguration scan A05
jwt.io JWT token analysis A08
CyberChef Decoding, hashing, crypto analysis A02
Python (requests) Custom exploit scripts A03, A10
Splunk (free tier) Log analysis & detection A09

πŸ—ΊοΈ MITRE ATT&CK for Web β€” Coverage Map

OWASP ID ATT&CK Technique Tactic
A01 T1548 β€” Abuse Elevation Control Mechanism Privilege Escalation
A02 T1552 β€” Unsecured Credentials Credential Access
A03 T1190 β€” Exploit Public-Facing Application Initial Access
A04 T1068 β€” Exploitation for Privilege Escalation Privilege Escalation
A05 T1592 β€” Gather Victim Host Information Reconnaissance
A06 T1190 β€” Exploit Public-Facing Application Initial Access
A07 T1110 β€” Brute Force Credential Access
A08 T1195 β€” Supply Chain Compromise Initial Access
A09 T1562 β€” Impair Defenses Defense Evasion
A10 T1090 β€” Proxy Command & Control

πŸ“ Sample Report Template

A professional pentest report template (based on real-world format) is in /reports/OWASP-Pentest-Report-Template.md.


πŸ“š Learning Path

Beginner Path:
A03 (SQLi) β†’ A07 (Auth) β†’ A01 (Access Control) β†’ A05 (Misconfig)

Intermediate Path:
A02 (Crypto) β†’ A04 (Design) β†’ A06 (Components) β†’ A09 (Logging)

Advanced Path:
A08 (Integrity / JWT) β†’ A10 (SSRF)

πŸ”— Related Resources


πŸ‘€ About the Author

Adarsh Singh β€” DevSecOps Engineer | AppSec | OT/ICS Security

  • πŸ”— LinkedIn
  • πŸ™ GitHub
  • 🎯 TryHackMe: Top 5% Global
  • πŸ“§ Open to SOC Analyst, Penetration Testing, and AppSec opportunities

⚠️ Legal Disclaimer

All labs in this repository use intentionally vulnerable, legal practice platforms (DVWA, WebGoat, Juice Shop, HackTheBox). Never perform these techniques on systems you do not own or have explicit written permission to test. Unauthorized testing is illegal.


⭐ Star this repo if it helped you β€” and connect on LinkedIn!

About

Hands-on OWASP Top 10 (2021) labs with vulnerable applications, exploitation techniques, remediation guidance, tools, and practical reports for web application security learning.

Topics

Resources

License

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages