Web Application Testing Techiques

Burp Suite Fundamentals

Learning Outcome

4

Analyze and modify requests, headers, cookies, and parameters.

3

Perform application mapping and traffic analysis.

2

Configure Burp to intercept HTTP/HTTPS traffic.

1

Understand Burp Suite's role in web security testing.

5

Use manual and automated testing to identify vulnerabilities.

A new shopping mall called SafeMall opens and welcomes thousands of visitors every day.

Technical Term: SafeMall = Web Application

A security expert inspects the mall to identify hidden security weaknesses.

Technical Term: Security Expert = Security Professional

A visitor enters a restricted storage room because the lock is broken.

Technical Term: Broken Lock = Broken Access Control

A stranger uses a copied employee ID to enter staff-only areas.

Technical Term: Copied ID = Authentication Failure

A customer enters unexpected commands into the feedback kiosk, exposing confidential information.

Technical Term: Feedback Kiosk = Injection Vulnerability

Outdated CCTV software is exploited, allowing criminals to disable the cameras.

Technical Term: Old CCTV Software = Vulnerable and Outdated Components

The mall installs equipment from an untrusted supplier that secretly contains malware.

Technical Term: Untrusted Equipment = Software and Data Integrity Failure (Supply Chain Attack)

After a theft, there are no camera recordings or activity logs to investigate.

Technical Term: Missing Records = Security Logging and Monitoring Failure

The security expert shows the mall owner a checklist of the ten most common security risks.

Technical Term: Security Checklist = OWASP Top 10

The mall fixes its weaknesses, updates security, and becomes much safer for everyone.

Technical Term: Security Improvements = OWASP Top 10 Remediation

Introduction to Burp Suite

Burp Suite is a web application security testing tool used to inspect, modify, and analyze HTTP/HTTPS traffic between a browser and a web server.

     Key Capabilities

Traffic interception

Request/response analysis

Application mapping

Vulnerability assessment

Security testing automation

Understanding the OWASP Top 10 Project

The OWASP Top 10 is a regularly updated list of the most critical web application security risks. It helps developers, security testers, and organizations identify common vulnerabilities based on real-world security data.

   Purpose of the OWASP Top 10

Raise security awareness

Prioritize security efforts

Promote secure coding

Guide security testing

Why OWASP Top 10 Matters

The OWASP Top 10 is an industry-standard reference for web application security.

    Benefits

Reduces vulnerabilities

 

Improves application security

 

Protects sensitive data

 

Supports compliance

 

Prioritizes remediation

 

Enhances customer trust

 Security Risks in Modern Web Applications

Modern web applications have become increasingly complex due to:

Cloud computing

APIs and microservices

Third-party integrations

Mobile applications

Continuous deployment practices

OWASP Top 10:2025 Vulnerability Categories

  Broken Access Control

Occurs when users access resources or functions without proper authorization.

Example

A normal user accesses an admin page by changing a URL.

Potential Impact

Unauthorized data access

Data modification

Privilege escalation

Account compromise

    Security Misconfiguration

Occurs when applications, servers, or cloud services are configured incorrectly.

Example

Default credentials

Debug mode enabled

Unnecessary services

Improper cloud storage settings

Potential Impact

Information disclosure

Unauthorized access

System compromise

    Software Supply Chain Failures

Occurs when vulnerabilities are introduced through third-party software, dependencies, or deployment processes.

Example

Compromised software packages

Malicious dependencies

Insecure CI/CD pipelines

Tampered updates

Potential Impact

Malware distribution

Backdoor installation

Large-scale compromise

Data breaches

Cryptographic Failures

Occurs when sensitive data is not properly protected using secure encryption.

Example

Weak encryption

Unencrypted sensitive data

Poor key management

Insecure data transmission

Potential Impact

Data exposure

Regulatory violations

Financial fraud

Identity theft

 Injection

Occurs when untrusted input is executed as commands or queries due to improper input validation.

Unauthorized access

Data manipulation

Information disclosure

System compromise

Potential Impact

Types:

SQL Injection: User input alters database queries.

 

Command Injection: User input executes operating system commands.

 

NoSQL Injection: User input modifies NoSQL database queries.

      Insecure Design

Security weaknesses caused by poor application design instead of coding errors.

Missing authorization

Weak business logic validation

Insecure workflows

Weak security architecture

Examples

Potential Impact

Unauthorized actions

Increased attack opportunities

Abuse of application features

     Authentication Failures

Occurs when applications fail to properly verify user identities.

Weak passwords

Missing MFA

Weak password reset

Predictable session IDs

Examples

Potential Impact

Account takeover

Unauthorized access

Credential abuse

     Software or Data Integrity Failures

Occurs when software, updates, or critical data are not verified for integrity.

Unverified updates

Insecure deserialization

Untrusted code execution

Unsigned software

Examples

Potential Impact

Supply chain attacks

Malware deployment

Application compromise

   Security Logging and Alerting Failures

Occurs when applications fail to log or report suspicious activities.

Missing audit logs

Poor monitoring

No security alerts

Inadequate incident tracking

Examples

Potential Impact

Delayed incident response

Undetected attacks

Increased breach impact

   Mishandling of Exceptional Conditions

Occurs when applications fail to handle errors or abnormal conditions securely.

Improper error handling

Resource exhaustion

Application crashes

Fail-open behavior

Examples

Potential Impact

Service disruption

Security bypass

Information disclosure

Reduced application availability

Summary

5

OWASP supports security testing and risk reduction.

4

Understanding OWASP helps build secure web applications.

3

Common vulnerabilities can lead to serious attacks.

2

The OWASP Top 10 highlights critical security risks.

1

OWASP improves web application security.

Quiz

What does SSRF stand for?

 

A. Secure Server Response Framework

B. Server Security Response Function

C. Server-Side Request Forgery

D. Secure System Request Filter

Quiz-Answer

C. Server-Side Request Forgery

What does SSRF stand for?

 

A. Secure Server Response Framework

B. Server Security Response Function

D. Secure System Request Filter

Burp Suite Fundamentals

By Content ITV

Burp Suite Fundamentals

  • 5