Welcome

Introduction

This covers the questions for TryHackMe's OWASP Top 10 Room. Only the tasks with challenges will be covered and I suggest you go through the room for a deeper understanding of the vulnerabilities covered here. You should also check out the OWASP Top Ten.

OWASP

The Open Web Application Security Project is a nonprofit foundation focused on understanding web technologies and exploitations and provides resources and tools designed to improve the security of software applications.

Template

This write up was created using the Template that I adapted from crahan's HolidayHackChallengeTemplate. While the original is holiday and CTF competition specific, the genral idea and formatting is applicable to any number of reporting scenarios. I hope to utilize this better for creating ongoing reports of CTF challenges I compete in. It's based on MkDocs and the MkDocs Material theme.

Answers

Severity 1 -

Use command injection with knowledge of Linux tools to exploit the vulnerability.

Severity 2 -

Use borken authentication to explore logic flaws within the authentication mechanism.

Severity 3 -

Using sensitive data exposure exploit the exposed technology to gain admin access.

Severity 4 -

Explore XXE vulnerability.

Severity 5 -

Learn how broken access controll can be exploited.

Severity 6 -

View the Security Misconfiguration walkthrough here.

Severity 7 -

This XSS challenge showcases DOM-Based, Reflected and Stored XSS exploitation.

Severity 8 -

Follow allong exploiting insecure deserialization here.

Severity 9 -

Follow in the steps of others when working with components with known vulnerabilites.

Severity 10 -

Explore logs to emphsize the risk of insufficient logging and monitoring here.

Conclusion

This was an informative, free room. It's surprising to me how many vulnerabilities are the result of human error and I am looking forward to refining detection and exploitation in the pursuit of further hardening systems.