Learning Outcome
4
Analyze and modify requests, headers, cookies, and parameters.
3
Perform application mapping and traffic analysis.
2
Configure Burp to intercept HTTP/HTTPS traffic.
1
Understand Burp Suite's role in web security testing.
5
Use manual and automated testing to identify vulnerabilities.
A new shopping mall called SafeMall opens and welcomes thousands of visitors every day.
Technical Term: SafeMall = Web Application
A security expert inspects the mall to identify hidden security weaknesses.
Technical Term: Security Expert = Security Professional
A visitor enters a restricted storage room because the lock is broken.
Technical Term: Broken Lock = Broken Access Control
A stranger uses a copied employee ID to enter staff-only areas.
Technical Term: Copied ID = Authentication Failure
A customer enters unexpected commands into the feedback kiosk, exposing confidential information.
Technical Term: Feedback Kiosk = Injection Vulnerability
Outdated CCTV software is exploited, allowing criminals to disable the cameras.
Technical Term: Old CCTV Software = Vulnerable and Outdated Components
The mall installs equipment from an untrusted supplier that secretly contains malware.
Technical Term: Untrusted Equipment = Software and Data Integrity Failure (Supply Chain Attack)
After a theft, there are no camera recordings or activity logs to investigate.
Technical Term: Missing Records = Security Logging and Monitoring Failure
The security expert shows the mall owner a checklist of the ten most common security risks.
Technical Term: Security Checklist = OWASP Top 10
The mall fixes its weaknesses, updates security, and becomes much safer for everyone.
Technical Term: Security Improvements = OWASP Top 10 Remediation
Introduction to Burp Suite
Burp Suite is a web application security testing tool used to inspect, modify, and analyze HTTP/HTTPS traffic between a browser and a web server.
Key Capabilities
Traffic interception
Request/response analysis
Application mapping
Vulnerability assessment
Security testing automation
Understanding the OWASP Top 10 Project
The OWASP Top 10 is a regularly updated list of the most critical web application security risks. It helps developers, security testers, and organizations identify common vulnerabilities based on real-world security data.
Purpose of the OWASP Top 10
Raise security awareness
Prioritize security efforts
Promote secure coding
Guide security testing
Why OWASP Top 10 Matters
The OWASP Top 10 is an industry-standard reference for web application security.
Benefits
Reduces vulnerabilities
Improves application security
Protects sensitive data
Supports compliance
Prioritizes remediation
Enhances customer trust
Security Risks in Modern Web Applications
Modern web applications have become increasingly complex due to:
Cloud computing
APIs and microservices
Third-party integrations
Mobile applications
Continuous deployment practices
OWASP Top 10:2025 Vulnerability Categories
Broken Access Control
Occurs when users access resources or functions without proper authorization.
Example
A normal user accesses an admin page by changing a URL.
Potential Impact
Unauthorized data access
Data modification
Privilege escalation
Account compromise
Security Misconfiguration
Occurs when applications, servers, or cloud services are configured incorrectly.
Example
Default credentials
Debug mode enabled
Unnecessary services
Improper cloud storage settings
Potential Impact
Information disclosure
Unauthorized access
System compromise
Software Supply Chain Failures
Occurs when vulnerabilities are introduced through third-party software, dependencies, or deployment processes.
Example
Compromised software packages
Malicious dependencies
Insecure CI/CD pipelines
Tampered updates
Potential Impact
Malware distribution
Backdoor installation
Large-scale compromise
Data breaches
Cryptographic Failures
Occurs when sensitive data is not properly protected using secure encryption.
Example
Weak encryption
Unencrypted sensitive data
Poor key management
Insecure data transmission
Potential Impact
Data exposure
Regulatory violations
Financial fraud
Identity theft
Injection
Occurs when untrusted input is executed as commands or queries due to improper input validation.
Unauthorized access
Data manipulation
Information disclosure
System compromise
Potential Impact
Types:
SQL Injection: User input alters database queries.
Command Injection: User input executes operating system commands.
NoSQL Injection: User input modifies NoSQL database queries.
Insecure Design
Security weaknesses caused by poor application design instead of coding errors.
Missing authorization
Weak business logic validation
Insecure workflows
Weak security architecture
Examples
Potential Impact
Unauthorized actions
Increased attack opportunities
Abuse of application features
Authentication Failures
Occurs when applications fail to properly verify user identities.
Weak passwords
Missing MFA
Weak password reset
Predictable session IDs
Examples
Potential Impact
Account takeover
Unauthorized access
Credential abuse
Software or Data Integrity Failures
Occurs when software, updates, or critical data are not verified for integrity.
Unverified updates
Insecure deserialization
Untrusted code execution
Unsigned software
Examples
Potential Impact
Supply chain attacks
Malware deployment
Application compromise
Security Logging and Alerting Failures
Occurs when applications fail to log or report suspicious activities.
Missing audit logs
Poor monitoring
No security alerts
Inadequate incident tracking
Examples
Potential Impact
Delayed incident response
Undetected attacks
Increased breach impact
Mishandling of Exceptional Conditions
Occurs when applications fail to handle errors or abnormal conditions securely.
Improper error handling
Resource exhaustion
Application crashes
Fail-open behavior
Examples
Potential Impact
Service disruption
Security bypass
Information disclosure
Reduced application availability
Summary
5
OWASP supports security testing and risk reduction.
4
Understanding OWASP helps build secure web applications.
3
Common vulnerabilities can lead to serious attacks.
2
The OWASP Top 10 highlights critical security risks.
1
OWASP improves web application security.
Quiz
What does SSRF stand for?
A. Secure Server Response Framework
B. Server Security Response Function
C. Server-Side Request Forgery
D. Secure System Request Filter
Quiz-Answer
C. Server-Side Request Forgery
What does SSRF stand for?
A. Secure Server Response Framework
B. Server Security Response Function
D. Secure System Request Filter