Web Application Vulnerabilities
This lesson provides the student with a basic understanding of how web servers have evolved and introduces them to the various web application vulnerabilities resulting from this evolution. Throughout the lesson, students get some hands-on experience attacking web applications using a known vulnerable website with vulnerable applications. These attacks include SQL Injection, Command Injection, and Cross Site Scripting (XSS).
This lesson includes two hands-on exercises in the Virginia Cyber Range. If instructors would like to have students complete one or both of the exercises, they should have requested an account at firstname.lastname@example.org and had a course created for them. They should upload their student list to the course and prepare the exercise entitled ‘Cyber Basics – Web Application Security: SQL Injection Lab’ and ‘Cyber Basics – Web Application Security: Command Injection Lab’ and download the lab documents from the courseware repository.
- Describe how web servers have evolved, which has led to various web application vulnerabilities
- Understand classes of vulnerabilities in web applications that could lead to compromise
- Apply attacks on web applications using a known vulnerable website with vulnerable applications
- K0069: Knowledge of query languages such as SQL (structured query language).
- K0070: Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
- K0111: Knowledge of common network tools (e.g., ping, traceroute, nslookup) and interpret the information results.
- K0119: Knowledge of hacking methodologies in Windows or Unix/Linux environment.
- K0129: Knowledge of Unix command line (e.g., mkdir, mv, ls, passwd, grep).
- K0236: Knowledge of how to utilize Hadoop, Java, Python, SQL, Hive, and PIG to explore data.
- K0307: Knowledge of common network tools (e.g., ping, traceroute, nslookup).
- K0342: Knowledge of penetration testing principles, tools, and techniques.
- S0051: Skill in the use of penetration testing tools and techniques.
- S0130: Skill in writing scripts using R, Python, PIG, HIVE, SQL, etc.
- A0055: Ability to operate common network tools (e.g., ping, traceroute, nslookup).
- Databases (DAT)
- Database Management Systems (DMS)
- Penetration Testing (PTT)
- Basic Scripting and Programming (BSP)