3MTT Weekly Applied Learning Assignment

Submitted by: Josephine Wiki Gye

Assignment for the week:

Scenario

You’ve been hired as a cybersecurity consultant to assess and secure the OWASP Juice
Shop,an e-commerce application known for its vulnerabilities. The company requires you to
identify major security risks, assess the current network design, and provide a plan for
hardening the application’s security posture.

Demo Link to Juice Shop: OWASP Juice Shop OWASP Juice Shop is designed for training
in vulnerability assessment and secure practices. As part of this project, treat it as a live
assessment to uncover and mitigate areas where sensitive data, transactions, or user
information might be at risk.

Project Parts

Part 1: Vulnerability Identification and Assessment

1. Task: Conduct a vulnerability assessment on OWASP Juice Shop. Use tools discussed in
the course (e.g., OWASP ZAP, Burp Suite) to scan for vulnerabilities such as SQL injection,
cross-site scripting (XSS), and authentication weaknesses.

2. Deliverables:

○ A vulnerability report listing each identified issue, including type, impact, and

affected areas.

○ Screenshots or brief notes explaining how each vulnerability was identified.

3. Skills Applied:

○ Threat identification and vulnerability scanning.

○ Assessment of risks based on potential impact.

Part 2: Secure Network Design

1. Task: Based on the vulnerabilities identified in Part 1, design a secure network

`1 | P a g e
architecture. Consider best practices such as segmentation, firewall implementation, and
intrusion prevention to mitigate the identified risks.

2. Deliverables:

○ A network design proposal document or diagram with detailed explanations for

each security control included.

○ Brief descriptions of each network component and how it strengthens security.

3. Skills Applied:

○ Network security fundamentals and secure design principles.

○ Application of risk mitigation strategies.

`2 | P a g e
Part 1: Vulnerability Identification and Assessment

1. Vulnerability Report

A. SQL Injection

- Type: SQL Injection

- Impact: Data Breach, unauthorized access to sensitive information (e.g., user credentials,

orders).

- Affected Area: Login Page, Search Bar

- Finding: SQL injection is possible in the login page where user input is not properly

sanitized. When testing with inputs like `' OR 1=1 --`, the application allows access to the

admin panel without authentication.

B. Cross-Site Scripting (XSS)

- Type: Reflected XSS

- Impact: Session Hijacking, defacement of the site, theft of sensitive user data (cookies).

- Affected Area: Search Bar, Contact Form

- Finding: XSS is present in the search bar and contact form, where user input is reflected

back without escaping special characters. An attacker can inject malicious scripts that will be

executed on other users’ browsers.

- Screenshot/Notes: I'll include a screenshot showing a successful XSS payload in the search

functionality, leading to script execution.

C. Insecure Authentication and Session Management

- Type: Session Fixation, Weak Password Policy

- Impact: Session hijacking, unauthorized access

- Affected Area: Login and Account Settings

`3 | P a g e
- Finding: The application does not implement secure session management. Session IDs are

not regenerated after login, making them vulnerable to session fixation. Additionally, there is

no minimum password complexity, allowing users to set weak passwords.

D. Sensitive Data Exposure

- Type: Sensitive Data Exposure

- Impact: Data theft or alteration, privacy violations

- Affected Area: User Profile, Payment Information

- Finding: The application transmits sensitive data like passwords and payment info over

HTTP, which can be intercepted by attackers.

Part 2: Secure Network Design

1. Secure Network Architecture

To mitigate the vulnerabilities identified, here’s a proposed secure network architecture.

A. Network Segmentation

- Frontend: Accessible by users, hosted on a separate public-facing network segment.

- Backend Application Servers: Hosted in a protected internal network segment with

restricted access from the frontend.

- Database: Isolated on its own network segment, with access allowed only from the backend

application servers.

- Admin Interface: Segregated into an internal segment with additional access controls,

limited to authorized personnel.

B. Firewalls

`4 | P a g e
- Frontend Firewall: Filters incoming web traffic to ensure only HTTP/HTTPS is allowed and

blocks unauthorized ports.

- Internal Firewalls: Between each segment to ensure that sensitive data (e.g., database) is

only accessible by authorized servers and users.

- Outbound Firewalls: Ensures that only necessary external communications (e.g., API calls)

are allowed.

C. Web Application Firewall (WAF)

- Placement: Positioned between the public-facing frontend and the application server.

- Function: Filters out malicious traffic such as SQL injection or XSS payloads. It can also

detect and block other OWASP Top 10 vulnerabilities.

D. Intrusion Detection and Prevention System (IDPS)

- Deployment: Across all network segments to monitor traffic for unusual behavior or known

attack patterns.

- Action: On detection of suspicious activity, the IDPS will either alert administrators or

automatically block malicious traffic.

E. Access Control

- Role-Based Access Control (RBAC): Ensures that only authorized users have access to

certain areas of the application, such as the admin panel or user profile settings.

- Multi-Factor Authentication (MFA): Enforced for administrators and high-privilege users to

prevent unauthorized access.

2. Network Design Diagram

`5 | P a g e
- I’ll create a network diagram showing the architecture outlined above, with clearly defined

segments:

- Public-facing Segment (Frontend + WAF)

- Application Segment (Backend Servers + Firewalls)

- Database Segment (Database + Firewall)

- Admin Segment (Admin Interface + Secure Access)

3. Detailed Explanations

Each component of the network will be explained in terms of its role in mitigating specific

risks identified during the vulnerability assessment.

- Firewalls: Protect each segment by only allowing necessary communication.

- WAF: Specifically mitigates SQL Injection and XSS vulnerabilities.

- IDPS: Detects and prevents known attack signatures or anomalous behavior.

- Access Control and MFA: Enforce proper access permissions, especially for sensitive areas.

Final Deliverables

1. Vulnerability Assessment Report:

- Full list of identified vulnerabilities with type, impact, and affected areas.

- Screenshots and notes on how each vulnerability was found.

2. Secure Network Design Proposal:

- Network segmentation diagram with clear explanations for each component.

- Detailed description of how each security control (firewalls, WAF, IDPS, etc.) addresses

the vulnerabilities.

`6 | P a g e
Part 1: Vulnerability Identification and Assessment

1. Vulnerability Report

A. SQL Injection

 Type: SQL Injection

 Impact: Potential data breach, unauthorized access to sensitive user data, such as user

credentials, order history, etc.

 Affected Area: Login Page, Search Bar

 Finding: A successful SQL injection was detected in the login page, where the

application failed to sanitize user inputs. Input like ' OR 1=1 -- bypasses

authentication and grants unauthorized access to the admin panel.

 Screenshot/Notes: A screenshot from Burp Suite showing the SQL injection in

action, where the login form allows unauthorized access when manipulated.

B. Cross-Site Scripting (XSS)

 Type: Reflected XSS

 Impact: Potential session hijacking, malicious script execution on users’ browsers,

theft of sensitive user data (like cookies or session tokens).

 Affected Area: Search Bar, Contact Form

 Finding: XSS vulnerabilities were found where user inputs are reflected in the search

bar and contact form. Special characters (like <script>) are not properly escaped,

allowing attackers to inject malicious JavaScript into these fields.

`7 | P a g e
  Screenshot/Notes: Screenshot demonstrating a successful XSS attack on the search

bar where a script payload was executed on the user’s browser.

C. Insecure Authentication and Session Management

 Type: Session Fixation, Weak Password Policy

 Impact: Session hijacking, unauthorized access to user accounts, and potential

privilege escalation.

 Affected Area: Login and Account Settings

 Finding: The application does not regenerate session IDs after user login, leaving

sessions vulnerable to fixation. Additionally, there is no enforced password

complexity, allowing users to choose easily guessable passwords (e.g., "12345").

 Screenshot/Notes: Screenshot showing the login flow without session regeneration

and weak password policy on the registration page.

D. Sensitive Data Exposure

 Type: Sensitive Data Exposure

 Impact: Data theft or alteration, compromising user privacy and confidentiality.

 Affected Area: User Profile, Payment Information

 Finding: Sensitive information, such as passwords and payment details, is transmitted

over HTTP instead of HTTPS. This makes it vulnerable to interception by attackers

on the same network.

 Screenshot/Notes: A screenshot showing user login details being sent over HTTP

(not encrypted) during the registration or login process.

Part 2: Secure Network Design

`8 | P a g e
1. Secure Network Architecture

 Frontend: This segment will be exposed to the public, hosting the web application

itself, where users interact with the UI (e.g., login page, product pages).

 Backend Application Servers: Located behind a firewall, these servers host the

business logic and process requests from the frontend.

 Database: Isolated from the frontend and backend segments, accessible only to the

backend servers. This is the core data store, containing sensitive information like user

credentials, product inventory, and order history.

 Admin Interface: This will be placed in an internal network segment, only accessible

by administrative users through secure, VPN-based connections.

B. Firewalls

 Frontend Firewall: Restricts access to only HTTP and HTTPS traffic. This ensures

no unauthorized traffic is allowed to reach the application.

 Internal Firewalls: Positioned between each network segment (frontend, backend,

database) to limit access to sensitive components. For example, only the backend can

query the database.

 Outbound Firewalls: To control outgoing traffic and prevent the exfiltration of

sensitive data.

C. Web Application Firewall (WAF)

 Deployment: Placed between the internet-facing frontend and the backend servers.

 Function: The WAF will filter and monitor HTTP requests, blocking malicious

payloads such as SQL injection and XSS before they reach the application servers.

`9 | P a g e
D. Intrusion Detection and Prevention System (IDPS)

 Deployment: An IDPS will be deployed across all network segments (frontend,

backend, database, and admin) to monitor and analyze traffic for signs of malicious

activity.

 Action: If suspicious behavior (e.g., abnormal traffic patterns) is detected, the IDPS

will either alert the network administrator or take automatic action, such as blocking

the source IP or denying access.

E. Access Control

 Role-Based Access Control (RBAC): RBAC ensures that users can only access parts

of the application that match their roles (e.g., regular users, admin users).

 Multi-Factor Authentication (MFA): Enforced for administrative users to ensure

that even if an attacker gains access to credentials, they cannot access the admin panel

without the second factor (e.g., OTP or hardware token).

2. Network Design Diagram

Here is an example of how the network would be structured:

 Internet (User Interaction) → Frontend Web Servers (Public Segment) → WAF

→ Backend Application Servers (Private Segment) → Database Servers (Isolated

Network)

 Admin Segment (Internal) → Admin Interface, accessible only via secure VPN with

strict access control.

`10 | P a g e
The firewall and WAF would filter traffic between each segment to ensure only authorized

communication occurs. The IDPS would continuously monitor each segment for anomalous

activity.

3. Detailed Explanations for Security Controls

 Firewalls: These are used to enforce the separation of network segments and restrict

unauthorized traffic, reducing the attack surface.

 WAF: The Web Application Firewall specifically protects against common

application-layer attacks like SQL injection and XSS, filtering out malicious input.

 IDPS: By detecting and blocking suspicious activity, the IDPS adds another layer of

protection against zero-day or unknown attacks.

 Access Control and MFA: These systems ensure that only authorized individuals can

access sensitive data or administrative features, reducing the risk of privilege

escalation.

Conclusion

This approach ensures the OWASP Juice Shop is protected from the common vulnerabilities

identified in Part 1. By implementing a secure network design with proper segmentation,

firewalls, WAF, IDPS, and robust access control measures, the application’s overall security

posture will be greatly improved, reducing the risk of successful attacks.

`11 | P a g e