In this exercise, we will focus on implementing security controls to mitigate common vulnerabilities in web applications. This hands-on activity will help you understand how to apply the OWASP guidelines and standards to secure your web applications effectively.

• Identify common vulnerabilities in a sample web application.
• Implement appropriate security controls to mitigate these vulnerabilities.
• Validate the effectiveness of the implemented controls.

• Basic understanding of web application development.
• Familiarity with OWASP Top Ten vulnerabilities.
• Access to a development environment (e.g., local server, code editor).

We will use a simple web application with known vulnerabilities. Your task is to identify these vulnerabilities and implement security controls to fix them. We will focus on the following vulnerabilities:

1. SQL Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication

1. Clone the Sample Web Application Repository:

   git clone https://github.com/owasp/sample-web-application.git
   cd sample-web-application
   

2. Install Dependencies:

   npm install
   

3. Start the Application:

   npm start
   

4. Access the Application: Open your browser and navigate to http://localhost:3000.

1. SQL Injection:

   • Navigate to the login page.
   • Try entering ' OR '1'='1 in the username and password fields.
   • Observe if you gain unauthorized access.

2. Cross-Site Scripting (XSS):

   • Navigate to the comment section.
   • Try entering <script>alert('XSS')</script> in the comment field.
   • Observe if an alert box appears.

3. Broken Authentication:

   • Check if the application uses weak password policies or stores passwords in plaintext.

1. SQL Injection Mitigation:

   • Use parameterized queries to prevent SQL injection.

   // Vulnerable code
   const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`;
   
   // Secure code
   const query = 'SELECT * FROM users WHERE username = ? AND password = ?';
   db.query(query, [username, password], (err, results) => {
       if (err) throw err;
       // Handle results
   });
   

2. Cross-Site Scripting (XSS) Mitigation:

   • Use output encoding to prevent XSS.

   // Vulnerable code
   const comment = req.body.comment;
   res.send(`<div>${comment}</div>`);
   
   // Secure code
   const comment = req.body.comment;
   res.send(`<div>${escapeHtml(comment)}</div>`);
   
   function escapeHtml(unsafe) {
       return unsafe
           .replace(/&/g, "&amp;")
           .replace(/</g, "&lt;")
           .replace(/>/g, "&gt;")
           .replace(/"/g, "&quot;")
           .replace(/'/g, "&#039;");
   }
   

3. Broken Authentication Mitigation:

   • Implement strong password policies and store passwords securely using hashing.

   const bcrypt = require('bcrypt');
   const saltRounds = 10;
   
   // Hashing password before storing
   bcrypt.hash(password, saltRounds, (err, hash) => {
       if (err) throw err;
       // Store hash in the database
       const query = 'INSERT INTO users (username, password) VALUES (?, ?)';
       db.query(query, [username, hash], (err, results) => {
           if (err) throw err;
           // Handle results
       });
   });
   
   // Verifying password during login
   db.query('SELECT password FROM users WHERE username = ?', [username], (err, results) => {
       if (err) throw err;
       bcrypt.compare(password, results[0].password, (err, result) => {
           if (err) throw err;
           if (result) {
               // Passwords match
           } else {
               // Passwords do not match
           }
       });
   });
   

1. SQL Injection:

   • Try the same SQL injection payload (' OR '1'='1) and verify that it no longer works.

2. Cross-Site Scripting (XSS):

   • Try the same XSS payload (<script>alert('XSS')</script>) and verify that it is now safely encoded.

3. Broken Authentication:

   • Ensure that passwords are hashed and that weak passwords are not accepted.

In this exercise, you have learned how to identify and mitigate common web application vulnerabilities by implementing appropriate security controls. By following the OWASP guidelines, you can significantly enhance the security of your web applications.

• SQL Injection: Use parameterized queries to prevent SQL injection attacks.
• Cross-Site Scripting (XSS): Use output encoding to prevent XSS attacks.
• Broken Authentication: Implement strong password policies and use hashing to store passwords securely.

• Regularly update your knowledge of the latest security threats and mitigation techniques.
• Use automated tools like OWASP ZAP to scan your applications for vulnerabilities.
• Continuously monitor and improve your security practices to stay ahead of potential threats.

By practicing these exercises and applying the learned concepts, you will be better equipped to secure your web applications against common vulnerabilities.