OWASP Web Application Penetration Testing

Brief

I completed a structured two‑part OWASP pentest exercise using the official Mutillidae II, Juice Shop, and Security Shepherd labs. Part A assessed an intentionally insecure environment on Mutillidae II against the OWASP Top 10, while Part B targeted Juice Shop’s cloud‑native security features, exploiting its Two‑Factor Authentication via a SQL injection that accessed a TOTP secret.

Approach

Part A – Mutillidae II & Mutillidae II‑II

  • Conducted a comprehensive vulnerability scan with Burp Suite Community 2025.2.4, mapping out broken access control, cryptographic weaknesses, and injection points.
  • Leveraged the built‑in Mutillidae II user‑base to bypass authentication via SQL i, then moved laterally, capturing session cookies for takeover.

Part B – Juice Shop & Security Shepherd

  • Utilised Burp Suite to locate a potential SQL i that might expose the TOTP key used for MFA. Following a successful exploit, I extracted the secret and seeded a 2FA bypass, achieving full control of a high‑privileged account.
  • Conducted stored and reflected XSS testing through the Juice Shop comment outlets, confirming path‑controlled cookie theft.
  • Employed CSS‑based NXDOMAIN image‑tag payloads within Security Shepherd to force a CSRF attack, confirming command‑execution via the built‑in “account deletion” endpoint.
  • Integrated OSSEC HIDS (v3.7.0) to monitor file‑system changes resulting from exploitation, establishing a forensic trail.

Results

My final scores were:

  • 45/50 on Mutillidae II – outstanding in access‑control and injection categories.
  • 44/50 on Juice Shop – secured the majority of the high‑impact vulnerabilities, including a bypass of 2FA and XSS session hijacking.

The dissertation additionally documents an OSSEC deployment for continuous monitoring, illustrating the usefulness of real‑time alerts for threat hunting.

Tools

  • Burp Suite Community 2025.2.4
  • Kali Linux – full stegan‑analysis environment.
  • OSSEC v3.7.0 – host‑based intrusion detection.
  • Mutillidae II, Juice Shop, Security Shepherd – target frameworks.

Repo

https://github.com/CodeEvent/OWASP‑Pentest‑Suite