OWASP21-PG (OWASP Top 10 for 2021 Practice Ground) is a practical lab designed to equip security enthusiasts, developers, and students with the necessary skills to identify and prevent web vulnerabilities, particularly those in the OWASP Top 10 list for 2021. This project builds on the foundation of bWAPP, a free and open-source deliberately insecure web application, but takes it to the next level by providing a comprehensive practical lab that covers all categories in the OWASP Top 10. With OWASP21-PG, you can have fun while gaining the necessary skills to protect your digital world.
- Features
- Installation
- Lab Overview
- A01:2021-Broken Access Control
- A02:2021-Cryptographic Failures
- A03:2021-Injection
- A04:2021-Insecure Design
- A05:2021-Security Misconfiguration
- A06:2021-Vulnerable and Outdated Components
- A07:2021-Identification and Authentication Failures
- A08:2021-Software and Data Integrity Failures
- A09:2021-Security Logging and Monitoring Failures
- A10:2021-Server-Side Request Forgery
- A08:2021 + A09: Special Lab
- References
- Credits
- Disclaimer
- License
- Covers all categories in the OWASP Top 10 for 2021
- Based on bWAPP, a deliberately insecure web application
- Provides a comprehensive practical lab for learning web application security
- Available as a PHP application that can be hosted on Linux/Windows with Apache/IIS
- Easy to install with WAMP or XAMPP
- Enter the command to download
install.sh
wget https://raw.githubusercontent.com/Hrishikesh7665/OWASP21-PG/main/install.sh
- Make
install.sh
executable
sudo chmod +x install.sh
- Run the script
sudo ./install.sh
- Installation Completeππ
Optional
Import owasp21PG.crt to your browser
- Install Dependencies
sudo apt install -y net-tools git nano openssl apache2 php python3 python3-pip
- Or Equivalent command according to your distro
- Clone the repository to your local machine using the following command:
git clone https://github.com/Hrishikesh7665/OWASP21-PG.git
- Navigate to
OWASP21-PG
directory
cd OWASP21-PG
- Check your IP address and replace the tags with your IP Address and save
nano ./configs/owasp21PG.conf
- Copy all the contains of the
OWASP21-PG
to the\var\www\html
sudo cp -r . /var/www/html
- NB. Assuming you are in
OWASP21-PG
directory
- Change the read/write permission of
\var\www\html
towww-data
group
sudo chown -R www-data:www-data /var/www/html
- Run the command to allow .htaccess overrides
sudo sed -i '/<Directory \/var\/www\/>/,/<\/Directory>/ s/AllowOverride None/AllowOverride All/' /etc/apache2/apache2.conf
- Run the command to generate self-signed SSL certificate and key
sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/owasp21PG.key -out /etc/ssl/certs/owasp21PG.crt -subj "/C=IN/ST=West-Bengal/L=Kolkata" && sudo cp /etc/ssl/certs/owasp21PG.crt /var/www/html
- Enable SSL module
sudo a2enmod ssl
- Copy previosly edited
owasp21PG.conf
file to/etc/apache2/sites-available
sudo cp ./configs/owasp21PG.conf /etc/apache2/sites-available/
- Make
owasp21PG.conf
default site configuration
sudo a2ensite owasp21PG.conf
- Restart Apache service
sudo service apache2 restart
- Or Equivalent command according to your distro
- Install aiosmtpd module required for fake SMTP Server
python3 -m pip install aiosmtpd
- Or
python -m pip install aiosmtpd
- Start fake SMTP Server
python3 /var/www/html/bugs/12PHPMailer_vulnerableComponent/smtp.py
- Or
python /var/www/html/bugs/12PHPMailer_vulnerableComponent/smtp.py
- Installation Completeππ
Optional
Import owasp21PG.crt to your browser
- Clone the repository to your local machine using the following command:
git clone https://github.com/Hrishikesh7665/OWASP21-PG.git
Alternatively, You can Download The Zip
Direct Download Zip
Click Here
- Install the necessary software, such as Apache/IIS and PHP, or use a pre-built package like WAMP or XAMPP.
- Configure your web server to host the OWASP21 - PG application.
- Start the lab and begin learning!
- Clone the repository to your local machine using the following command:
git clone https://github.com/Hrishikesh7665/OWASP21-PG.git
- Build the docker image from Dockerfile using
docker build -t owasp21-pg .
- Run the docker image
docker run -it -p 80:80 -p 443:443 -p 1025:1025 --name owasp21-pg owasp21-pg
- Browse to http://127.0.0.1
- LAB-1 Vertical Privilege Escalation
- LAB-2 Horizontal Privilege Escalation
- LAB-1 Insecure storage of sensitive data
- LAB-2 Man in the Middle (MitM)
- LAB-1 XML Injection
- LAB-2 XSS Injection
- LAB-1 Captcha Bypass
- LAB-2 OTP Bypass
- LAB-1 Cross-Origin Resource Sharing (CORS)
- LAB-2 XML External Entity Injection (XXE) for Security Misconfiguration
- LAB-1 Unrestricted File Saver
- LAB-2 PHP Contact Form (PHPMailer Vulnerability)
- LAB-1 Vulnerable Password Reset Mechanism
- LAB-2 Insecure JWT Authentication
- LAB-1 File Integrity Checks
- LAB-1 Unprotected Log
- LAB-1 Server Internal File Downloading
- LAB-2 Server Internal File Downloading (By Exploiting Image Downloading Functionality)
- LAB By Exploiting Data Integrity Failure Unlock Server Internal Logs
- Open Web Application Security Project Top 10 2021
- Vertical Privilege Escalation
- Horizontal Privilege Escalation
- Insecure storage of sensitive data
- Man in the Middle (MitM)
- XML Injection
- XSS Injection
- Cross-Origin Resource Sharing (CORS)
- XML External Entity Injection (XXE)
- PHPMailer Vulnerabilities (CVE-2016-10033)
- Insecure JSON Web Tokens (JWT)
- Server-side request forgery (SSRF)
I would like to express my gratitude to the following individuals and organizations for their significant contributions to this project:
- CodePen Community for providing templates and resources that helped me create an efficient website that reflects the objectives of the OWASP Top 10.
- bWAPP for their guidance and expertise in making my project meaningful for cybersecurity education. Their dedication to open-source resources has inspired me and other aspiring cybersecurity enthusiasts to learn and discover.
- OWASP for their invaluable work in improving software security and promoting cybersecurity awareness.
- Bing AI For the awsome logo.
OWASP21 - PG is designed for web application security testing and educational purposes only. Please do not use it for any malicious activity.
OWASP21 - PG is licensed under the MIT License.
I have put in my best effort to create these labs, and I would appreciate your input to further enhance them. Your valuable knowledge and insights would be invaluable in enriching the labs. Thank you in advance for your assistance.