Web Application Vulnerabilities

This lesson provides the student with a basic understanding of how web servers have evolved and introduces them to the various web application vulnerabilities resulting from this evolution.  Throughout the lesson, students get some hands-on experience attacking web applications using a known vulnerable website with vulnerable applications.  These attacks include SQL Injection, Command Injection, and Cross Site Scripting (XSS).

This lesson includes two hands-on exercises in the Virginia Cyber Range. If instructors would like to have students complete one or both of the exercises, they should have requested an account at accounts@virginiacyberrange.org and had a course created for them. They should upload their student list to the course and prepare the exercise entitled ‘Cyber Basics – Web Application Security: SQL Injection Lab’ and ‘Cyber Basics – Web Application Security: Command Injection Lab’ and download the lab documents from the courseware repository.

Learning Objectives
  • Describe how web servers have evolved, which has led to various web application vulnerabilities
  • Understand classes of vulnerabilities in web applications that could lead to compromise
  • Apply attacks on web applications using a known vulnerable website with vulnerable applications
Files
Web Application Vulnerabilities Lesson Plan
2_WebAppVulnerabilities.pptx

Log In
to download materials

* NICE Cybersecurity Workforce Framework KSAs Addressed
  • K0069: Knowledge of query languages such as SQL (structured query language).
  • K0070: Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
  • K0111: Knowledge of common network tools (e.g., ping, traceroute, nslookup) and interpret the information results.
  • K0119: Knowledge of hacking methodologies in Windows or Unix/Linux environment.
  • K0129: Knowledge of Unix command line (e.g., mkdir, mv, ls, passwd, grep).
  • K0236: Knowledge of how to utilize Hadoop, Java, Python, SQL, Hive, and PIG to explore data.
  • K0307: Knowledge of common network tools (e.g., ping, traceroute, nslookup).
  • K0342: Knowledge of penetration testing principles, tools, and techniques.
  • S0051: Skill in the use of penetration testing tools and techniques.
  • S0130: Skill in writing scripts using R, Python, PIG, HIVE, SQL, etc.
  • A0055: Ability to operate common network tools (e.g., ping, traceroute, nslookup).
* NSA/DHS Center of Excellence (CAE) KUs Addressed
  • Databases
  • Database Management Systems
  • Penetration Testing
  • Programming

* Most courseware content maps to NIST NICE Cybersecurity Workforce Framework (NCWF) Knowledge, Skills, and Abilities (KSAs) and/or NSA/DHS CAE Knowledge Units (KUs). For more information on KSAs and KUs, please visit:

KSAs: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf

KUs: https://www.iad.gov/NIETP/documents/Requirements/CAE-CD_2019_Knowledge_Units.pdf