Security in web applications and operating systems

The goal of this lab exercise is to study some of the main vulnerabilities (hidden field validation, weak session identification) in web applications, study some basic methods of carrying out attacks, and understand the origin of these vulnerabilities and how to avoid them.

What you will learn in this exercise

The exercise is implemented using the WebGoat application environment developed by OWASP (The Open Web Application Security Project) and programmed in Java. It is a training application that intentionally contains various forms of vulnerabilities. .

The second application you will use in the task is ZAP (Zed Attack Proxy) from Checkmarx. This is a proxy application that serves as an intermediate layer between the web browser and the operating system's network service. This layer allows messages to be analyzed and manipulated before they are sent to the target server—the web browser no longer has any influence on the content of these messages.

The ongoing tasks are

• Launching the WebGoat environment
• Parameter validation (verification)
• Hidden fields – Analysis of hidden fields on a web page
• Hidden fields – Modification of hidden fields
• Client-side field validation – Finding forms
• Client-side field validation – Bypassing validation
• Session management and authentication – Identifying a session with a cookie
• Session management and authentication – Session hijacking

The maximum time allowed for the laboratory task is 45 minutes.