Table of contents:
1. Self-hacking: Protecting web apps from attackers
2. Installing the OWASP Juice Shop
3. Working with ZAP
4. Dirbusting and standard passwords
5. Conclusion
A world without web applications is unthinkable today. They are omnipresent and offer several advantages over traditional desktop applications. Users do not have to worry about updates, and system requirements are limited to an up-to-date web browser and a working internet connection. Additionally, web applications are cheaper to develop and maintain. However, there is a downside to this convenience.
Web applications have been found to offer malicious actors in the network plenty of opportunities for attack. Vulnerabilities such as cross-site scripting (XSS), SQL injections, man-in-the-middle attacks, and denial-of-service attacks can lead to service crashes, leaked confidential information, or even the unnoticed takeover of the underlying IT infrastructure by criminals. Web APIs are also increasingly becoming the focus of attackers.
To mitigate these threats, many companies conduct security reviews of their web applications. In these reviews, recurring risks are often identified, including the disclosure of software versions used, the use of outdated software, publicly accessible admin interfaces without access protection or with standard passwords, and missing security-relevant HTTP headers or cookie flags. These risks can often be identified by companies themselves with relatively little effort in order to address them appropriately.
This article presents some freely available tools that can help in checking self-developed or purchased web applications for these vulnerabilities in an automated manner. These tools include the OWASP Juice Shop, ZAP, and Dirbusting, among others.
In conclusion, by using these tools and addressing the identified risks, companies can enhance the security of their web applications and reduce the chances of being targeted by attackers. It is vital to stay updated and proactive in protecting web applications against evolving threats in the ever-expanding digital landscape.
