Web Application Testing

Web applications are the most commonly exposed attack surface for organisations. This lesson covers the OWASP Top 10, core web vulnerabilities, manual testing methodology, and the essential tool Burp Suite — all within the context of authorised testing.

Authorisation reminder: Only test web applications you own or have explicit written permission to test.

OWASP Top 10 (2021)

The OWASP Top 10 represents the most critical web application security risks:

Rank	Category	Key Risk
A01	Broken Access Control	Users act beyond their permissions
A02	Cryptographic Failures	Sensitive data exposure
A03	Injection	SQL, NoSQL, OS command injection
A04	Insecure Design	Missing security controls by design
A05	Security Misconfiguration	Default configs, verbose errors
A06	Vulnerable & Outdated Components	Unpatched libraries/frameworks
A07	Identification & Authentication Failures	Weak passwords, session issues
A08	Software & Data Integrity Failures	Insecure CI/CD, unsigned updates
A09	Security Logging & Monitoring Failures	Insufficient detection/response
A10	Server-Side Request Forgery (SSRF)	Server makes requests to attacker-chosen URLs

SQL Injection (SQLi)

SQL injection occurs when user input is incorporated into SQL queries without proper sanitisation.

Detection

# Classic test — does the page behave differently?
https://example.com/item?id=1
https://example.com/item?id=1'
https://example.com/item?id=1' OR '1'='1
https://example.com/item?id=1' AND '1'='2

# Time-based blind SQLi
https://example.com/item?id=1' AND SLEEP(5)--

Types of SQL Injection

┌─────────────────────────────────────────────┐
│             SQL Injection Types              │
├─────────────────┬───────────────────────────┤
│ In-band (Classic)│                          │
│   ├─ Union-based │ Combines results via     │
│   │              │ UNION SELECT             │
│   └─ Error-based │ Extracts data from       │
│                  │ database error messages   │
├─────────────────┼───────────────────────────┤
│ Blind            │                          │
│   ├─ Boolean     │ True/false responses     │
│   └─ Time-based  │ Response time differences│
├─────────────────┼───────────────────────────┤
│ Out-of-band      │ Data exfiltrated via     │
│                  │ DNS or HTTP requests      │
└─────────────────┴───────────────────────────┘

Using sqlmap (Authorised Testing Only)

# Basic test
sqlmap -u "https://example.com/item?id=1" --batch

# Enumerate databases
sqlmap -u "https://example.com/item?id=1" --dbs

# Enumerate tables in a database
sqlmap -u "https://example.com/item?id=1" -D target_db --tables

# Dump specific table
sqlmap -u "https://example.com/item?id=1" -D target_db -T users --dump

Cross-Site Scripting (XSS)

XSS allows attackers to inject client-side scripts into web pages viewed by other users.

Types

Type	Stored?	Trigger	Severity
Reflected	No	Victim clicks a crafted link	Medium
Stored	Yes	Script persists in the database	High
DOM-based	No	Client-side JS processes input	Medium

Testing for XSS

<!-- Basic test payloads -->
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
"><script>alert('XSS')</script>
'><img src=x onerror=alert('XSS')>

<!-- Filter bypass examples -->
<ScRiPt>alert('XSS')</ScRiPt>
<img src=x onerror="alert('XSS')">
<body onload=alert('XSS')>

Web Application Testing

Web Application Testing

OWASP Top 10 (2021)

SQL Injection (SQLi)

Detection

Types of SQL Injection

Using sqlmap (Authorised Testing Only)

Cross-Site Scripting (XSS)

Types

Testing for XSS

Cross-Site Request Forgery (CSRF)

More in Cybersecurity