Chapter 18 Exercises: Web Application Security Fundamentals

Exercise 1: Web Application Architecture Mapping

Difficulty: Beginner | Time: 30 minutes

Choose a public e-commerce website (e.g., a small online shop, not a major retailer) and, using only your browser's Developer Tools (F12), identify the following:

  1. What web server software is used? (Check the Server response header)
  2. What frontend framework is used? (Check JavaScript files, HTML structure)
  3. Is the site a Single-Page Application or traditional multi-page?
  4. What API endpoints does the frontend call? (Check the Network tab)
  5. How is session state managed? (Check Cookies under Application tab)
  6. Draw a diagram of the three-tier architecture as you understand it.

Deliverable: A one-page architecture summary with supporting evidence from Developer Tools screenshots.

Exercise 2: OWASP Top 10 Categorization

Difficulty: Beginner | Time: 20 minutes

For each of the following vulnerability descriptions, identify which OWASP Top 10 (2021) category it belongs to. Some may belong to multiple categories.

  1. An admin page is accessible to any authenticated user, regardless of role.
  2. User passwords are stored as unsalted MD5 hashes.
  3. A search feature allows SQL commands to be embedded in the query.
  4. The application uses a jQuery version with a known XSS vulnerability.
  5. An image preview feature fetches URLs provided by the user, including internal network addresses.
  6. The password reset flow emails a permanent, non-expiring reset link.
  7. Login failures are not logged or monitored.
  8. A CI/CD pipeline installs npm packages without integrity verification.
  9. The application was designed without rate limiting on the checkout flow.
  10. Error pages display full stack traces including database connection strings.

Exercise 3: Security Header Audit Script

Difficulty: Intermediate | Time: 45 minutes

Write a Python script that takes a URL as input and generates a security header "report card." The script should check for all recommended security headers listed in Section 18.3.5, report which are present and which are missing, evaluate the quality of present headers (e.g., HSTS max-age should be at least 31536000), and assign an overall grade (A through F).

See code/exercise-solutions.py for the solution.

Exercise 4: HTTP Request/Response Analysis

Difficulty: Beginner | Time: 30 minutes

Using Burp Suite or Browser Developer Tools, capture the HTTP traffic for the following actions on DVWA (or Juice Shop):

  1. Loading the login page (GET request)
  2. Submitting login credentials (POST request)
  3. Navigating to a protected page after login
  4. Logging out

For each request/response pair, document: the HTTP method and URL, all request headers, the response status code, all response headers, any cookies set or sent, and the authentication mechanism used.

Questions to answer: - How does the application know you are logged in after the initial login? - What happens if you copy the session cookie value and use it in a different browser? - What security flags are present on the session cookie?

Difficulty: Intermediate | Time: 30 minutes

Write a Python script that connects to a target URL, extracts all cookies from the response, and analyzes each cookie for missing security attributes (HttpOnly, Secure, SameSite). The script should generate a findings report with severity ratings for each missing attribute.

See code/exercise-solutions.py for the solution.

Exercise 6: Burp Suite Mastery

Difficulty: Intermediate | Time: 60 minutes

Complete the following Burp Suite workflow exercises against DVWA:

  1. Proxy Setup: Configure FoxyProxy, install Burp CA certificate, and verify HTTPS interception works.
  2. Site Mapping: Browse DVWA with Burp proxy running (intercept OFF). Examine the Site Map tree and identify at least 10 unique endpoints.
  3. Intercept and Modify: With intercept ON, submit the DVWA login form. Modify the username to "admin" before forwarding. Document the modified request.
  4. Repeater Practice: Send the login request to Repeater. Test with three different username/password combinations. Compare the responses.
  5. Intruder Introduction: Send a request to Intruder. Set the password field as the payload position. Configure a small wordlist (10 passwords) and run a Sniper attack. Identify which password succeeds by response length difference.

Deliverable: Screenshots of each step with annotations explaining what you observed.

Exercise 7: HTTP Method Testing

Difficulty: Intermediate | Time: 20 minutes

Using curl or a Python script, test which HTTP methods are accepted by three different web applications in your lab:

  1. DVWA (http://localhost:8080)
  2. Juice Shop (http://localhost:3000)
  3. A static web server (e.g., Python's http.server)

For each target, send requests with all standard HTTP methods (GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS, TRACE) and record the response status codes. Answer:

  • Which targets accept dangerous methods (TRACE, PUT, DELETE)?
  • Does the OPTIONS response accurately reflect which methods are accepted?
  • Are there any inconsistencies between what OPTIONS reports and what actually works?

Exercise 8: Form Parameter Extraction

Difficulty: Intermediate | Time: 30 minutes

Write a Python script using BeautifulSoup that takes a URL, fetches the page, and extracts all HTML forms with their complete details: action URL, HTTP method, all input fields with their types, names, and default values. The script should flag potential security testing points (text inputs, hidden fields, file uploads).

See code/exercise-solutions.py for the solution.

Exercise 9: Directory Discovery Challenge

Difficulty: Intermediate | Time: 45 minutes

Using Gobuster or Dirb against DVWA or Juice Shop, perform directory and file discovery:

  1. Run a basic scan with the common.txt wordlist.
  2. Run an extended scan with file extensions: .php, .txt, .bak, .old, .conf, .sql, .json.
  3. Run an API-specific scan against the /api/ path (if applicable).

Document all interesting findings. For each discovered resource: - What is its purpose? - Does it contain sensitive information? - Should it be publicly accessible?

Exercise 10: Redirect Chain Analyzer

Difficulty: Beginner | Time: 20 minutes

Using the requests library with allow_redirects=True, write a script that follows the full redirect chain for a given URL and reports each hop (status code, URL, relevant headers). Test with URLs that are known to redirect (e.g., http:// to https://, www to non-www).

Exercise 11: Content Security Policy Builder

Difficulty: Advanced | Time: 45 minutes

For ShopStack (React frontend, Node.js API, PostgreSQL, AWS CloudFront CDN), design a Content Security Policy that:

  1. Allows JavaScript only from the same origin and via nonces
  2. Allows CSS from the same origin and inline styles (with nonce)
  3. Allows images from the same origin, the CDN, and data: URIs
  4. Allows API connections only to the same origin and the API subdomain
  5. Blocks all framing (frame-ancestors)
  6. Restricts form submissions to same origin
  7. Includes a report-uri for violation monitoring

Write the complete CSP header value. Then test it using Google's CSP Evaluator (https://csp-evaluator.withgoogle.com/) and document any warnings.

Exercise 12: Technology Stack Fingerprinting

Difficulty: Intermediate | Time: 30 minutes

Write a Python script that fingerprints the technology stack of a given URL using multiple signals: HTTP headers, cookie names, HTML content patterns, known file paths, and JavaScript file analysis.

See code/exercise-solutions.py for the solution.

Exercise 13: HTTPS/TLS Analysis

Difficulty: Intermediate | Time: 30 minutes

Using the ssl and socket Python modules (or testssl.sh if available), analyze the TLS configuration of three different websites:

  1. A major bank's website
  2. Your lab environment (self-signed cert)
  3. A government website

For each, determine: TLS version, cipher suite, certificate details (issuer, expiry, SANs), and whether HSTS is enabled. Rate each configuration as Good, Acceptable, or Poor.

Exercise 14: Web Application Test Plan

Difficulty: Advanced | Time: 60 minutes

You have been hired to perform a web application penetration test on a fictional e-commerce site similar to ShopStack. Create a comprehensive test plan that includes:

  1. Scope definition: What is in scope, what is out of scope
  2. Reconnaissance checklist: All reconnaissance activities to perform
  3. Testing matrix: Map each OWASP Top 10 category to specific test cases
  4. Priority ranking: Order test cases by potential impact
  5. Tools list: Which tools for each phase
  6. Reporting template: Structure for documenting findings

Exercise 15: URL Parameter Enumeration

Difficulty: Beginner | Time: 20 minutes

Write a Python script that takes a list of URLs (from a crawl or Burp Suite export) and extracts all unique parameters, grouping them by endpoint and identifying potential test points.

See code/exercise-solutions.py for the solution.

Exercise 16: WAF Detection and Analysis

Difficulty: Advanced | Time: 40 minutes

Using manual techniques (not automated tools), determine whether a target web application has a WAF in front of it:

  1. Send a normal request and record the baseline response.
  2. Send a request containing <script>alert(1)</script> in a parameter.
  3. Send a request containing ' OR 1=1 -- in a parameter.
  4. Send a request with an extremely long URL (over 8000 characters).
  5. Send multiple rapid requests (50+ in 10 seconds).

Compare responses. Document the evidence for or against WAF presence. If a WAF is detected, attempt to identify its type from response headers or custom error pages.

Exercise 17: Session Management Analysis

Difficulty: Intermediate | Time: 40 minutes

Analyze the session management of DVWA or Juice Shop:

  1. Login and capture the session token.
  2. Decode the token (base64, JWT decode, etc.).
  3. Determine what information the token contains.
  4. Test session fixation: can you set a session token before login and have it persist after login?
  5. Test session timeout: how long until the session expires?
  6. Test concurrent sessions: can the same user be logged in from two browsers?
  7. Test session invalidation: after logout, is the old session token still valid?

Exercise 18: Comprehensive DVWA Recon

Difficulty: Advanced | Time: 90 minutes

Perform a complete reconnaissance of DVWA as if it were a real-world target. You should use only the techniques from this chapter (no exploitation). Produce a reconnaissance report containing:

  1. Technology stack identification
  2. Complete site map (all pages and endpoints)
  3. All forms with their parameters
  4. All cookies and their security attributes
  5. Security header analysis
  6. robots.txt and sitemap.xml contents
  7. Interesting files and directories discovered
  8. HTML comments containing useful information
  9. Authentication mechanism analysis
  10. Test priorities based on findings

This exercise integrates all chapter concepts into a single practical assessment.