Blackbox Intelligence Group
Sign in
← All modules

Cybersecurity II · Module 7

Cybersecurity II, Unit 7: Web Application Security

OWASP Top 10 deep dive with Burp Suite Community and OWASP Juice Shop. Students recognize, demonstrate, and remediate the top web vulnerabilities under signed RoE.

Length
360 min
Level
advanced
Track
Cyber II
Cadence
Semester 2

Career paths

Penetration Tester
Unlock this module →Request a review copyTry the free pack

Download 1-page brochure (PDF)·Share with admins, parents, or your CTE director.

What's in the lesson pack

Everything you need to teach this period.

Built by an OSCP-certified instructor who teaches this material every week. Print-ready, classroom-tested, copy-paste-able.

Teacher Guide

Locked

Lesson at a glance, learning objectives, vocabulary, pacing, mini-lessons, and discussion notes.

In-browser presenter

Locked

Full themed slide deck you can run live from your laptop. Speaker notes built in. Works offline once loaded.

PowerPoint (.pptx) export

Locked

Editable slide deck for districts that mandate PowerPoint or want to customize for their LMS.

Module overview

The full lesson plan, public.

Read everything before you commit. The plan, objectives, vocabulary, standards alignment, and pacing are open. Only the print-ready deliverables are gated.

Unit 7: Web Application Security

Lesson at a glance

| Item | Detail | | --------------------- | -------------------------------------------------------------------------------- | | Suggested length | 6 × 60 minutes | | Recommended placement | Weeks 10–11 | | Prerequisite | Units 1–6; signed advanced RoE | | Materials | Burp Suite Community, OWASP Juice Shop (lab instance), DVWA, Firefox + FoxyProxy |

Safety: All web testing targets the lab Juice Shop and DVWA only. Public web applications are off-limits.

Standards & credential alignment

  • OWASP Top 10 (2021) - full coverage.
  • OffSec PEN-100 web fundamentals.
  • EHE - web application hacking domain.

Learning objectives

By the end of this unit, students can:

  1. Configure Burp Suite as an HTTP proxy and read intercepted traffic.
  2. Recognize and demonstrate the OWASP Top 10 (2021) at PoC level.
  3. Use Burp Repeater + Intruder for authorized testing.
  4. Articulate secure-coding mitigations for each Top 10 category.
  5. Produce a 6–10 page web application assessment report.

OWASP Top 10 (2021)

  1. A01 Broken Access Control
  2. A02 Cryptographic Failures
  3. A03 Injection (SQLi, command, etc.)
  4. A04 Insecure Design
  5. A05 Security Misconfiguration
  6. A06 Vulnerable & Outdated Components
  7. A07 Identification & Authentication Failures
  8. A08 Software & Data Integrity Failures
  9. A09 Security Logging & Monitoring Failures
  10. A10 Server-Side Request Forgery (SSRF)

Pacing

| Day | Focus | Deliverable | | --- | ------------------------------------------- | ------------------------------ | | 1 | Burp setup + HTTP fundamentals | Successful intercepted request | | 2 | A01 Broken Access Control + A07 Auth | IDOR + auth bypass demo | | 3 | A03 Injection: SQLi + command | SQLi PoC with screenshot | | 4 | XSS (under Injection) + CSRF | Reflected + stored XSS PoC | | 5 | A05/A06/A09: misconfig + outdated + logging | Three findings | | 6 | Report write-up | Web assessment report |

Day 1 - Burp setup

  1. Launch Burp Community.
  2. Set Firefox proxy to 127.0.0.1:8080 (use FoxyProxy).
  3. Install Burp's CA cert in Firefox so HTTPS works.
  4. Navigate Juice Shop. Watch the traffic in Proxy → HTTP history.
  5. Send a request to Repeater. Modify a header. Re-send. Observe.

Day 2 - Access control + auth

A01 IDOR:

  • In Juice Shop, log in as user A.
  • Find a request that fetches user A's data (e.g., basket).
  • Change user ID to user B.
  • Observe the response. Document.

A07 Authentication bypass:

  • Try ' OR 1=1 -- style on the admin login (legacy lab only).
  • Observe. Document.

Day 3 - Injection

SQL Injection (Juice Shop search):

qwert' UNION SELECT id, email, password, '4', '5', '6', '7', '8', '9' FROM Users--

Capture the response. Document. Stop at PoC.

Command Injection (DVWA low/medium):

  • The classic 127.0.0.1; whoami in the ping form.
  • Document.

Day 4 - XSS + CSRF

Reflected XSS (Juice Shop search):

<iframe src="javascript:alert('xss')">

Stored XSS (Juice Shop feedback or comments):

  • Inject a payload that fires for any subsequent visitor (use a benign alert).
  • Document scope: who would see this? What's the impact in a real app?

CSRF concept:

  • Show a sample HTML form on a third-party site that submits to a vulnerable endpoint.
  • Discuss SameSite cookies, CSRF tokens, double-submit cookies.

Day 5 - Misconfig / outdated / logging

  • A05 Misconfiguration: directory listing, default creds, verbose errors. Find one in DVWA.
  • A06 Vulnerable components: check package.json of a sample app, run npm audit. Discuss SCA (Software Composition Analysis).
  • A09 Logging failures: simulate. Show what you'd want logged for the SQLi from Day 3 and what most apps actually log. The gap is the finding.

Day 6 - Report

Template:

# Web Application Security Assessment - OWASP Juice Shop (lab)
## Executive Summary
## Scope + Authorization
## Methodology + Tools
## Findings (6+ findings, sorted by severity)
  Each: Title / OWASP category / CVSS / Description / Evidence / PoC steps / Impact / Remediation / References
## Defensive Recommendations (executive view)
## Appendix

Secure-coding mitigations cheat sheet

| Vulnerability | Primary fix | | ------------------- | -------------------------------------------------------- | | SQLi | Parameterized queries / prepared statements | | XSS | Context-aware output encoding + CSP | | CSRF | CSRF tokens + SameSite cookies | | IDOR | Server-side authorization on every object access | | Broken auth | Password policy + MFA + session management + lockout | | Misconfig | Hardened baselines, no defaults, automated config audits | | Outdated components | SCA in CI/CD, patch policy | | Logging | Centralized logs, minimum required event set, alerting | | SSRF | Allow-list outbound, deny metadata IPs, URL validation |

Common misconceptions

  • "I tested it once and it worked → vulnerable." - Re-test with fresh browser session, no cache, different account. Document reliability.
  • "XSS is harmless because it's just an alert." - alert() is the PoC. Real impact is session theft, account takeover, defacement.
  • "WAF makes it safe." - WAFs reduce noise; they do not replace fixing the vuln.

Assessment

  • Daily PoC screenshots.
  • Day 6 report - heavy weight.

Career connection

Application security engineers: $100K–$160K. Senior AppSec / staff: $180K–$300K. The field is starved for people who can read code and exploit it ethically.

Homework

Read OWASP ASVS Level 1 introduction. Pick one verification requirement and propose how you'd test for it.

Ready to use this in class?

Unlock the full Cybersecurity II edition.

All teacher guides, worksheets, scenarios, quizzes, answer keys, and the in-browser presenter for every module in the track. Site-license pricing for schools and districts. Free review copies for verified educators.

View pricingRequest review copySee full curriculum