Objective: To systematically document discovered web vulnerabilities and provide actionable, code-level remediation strategies for development teams.
1. The Vulnerability: Insecure Coding Practices (OWASP Top 10)
Through manual and automated testing of the WebGoat environment, I identified a series of high-impact vulnerabilities including SQL Injection, DOM-based XSS, and CSRF. These flaws stem from a fundamental lack of Input Validation and Sanitization, the use of unsafe JavaScript sinks, and the absence of unique anti-forgery tokens. Collectively, these represent a high risk to application security and user data.
2. Technical Execution: Remediation Strategy Development
I performed a “Post-Mortem” analysis for each identified flaw, moving beyond mere discovery to professional remediation planning. This involved analyzing the backend and frontend source code to pinpoint the exact line of failure and developing secure code alternatives to neutralize the attack vectors.
| Component | Value | Purpose |
|---|---|---|
| Frameworks | Spring Security / Django | Recommended for built-in CSRF protection. |
| JS Library | DOMPurify | Recommended for sanitizing HTML when rendering is necessary. |
| Query Method | Prepared Statements | Used to replace vulnerable string concatenation. |
| DOM Method | .text() | Replaced the vulnerable .html() method to render plain text. |
3. Execution Workflow
- Evidence Collection: Captured high-resolution screenshots of OWASP ZAP alerts and manual exploitation results to serve as proof of work.
- Impact Assessment: Documented how each vulnerability was discovered and translated the technical flaw into a business risk (e.g., account compromise, data leakage).
- Remediation Mapping: Cross-referenced alerts with OWASP documentation and official cheat sheets to ensure industry-standard fixes.
- Developer Guidance: Wrote clear, code-based recommendations for developers, including “Before” (vulnerable) and “After” (secure) code examples.
4. Key Commands
// Example of the recommended "Secure Fix" for SQL Injection
// Using Parameterized Queries to prevent user input from being executed as code
PreparedStatement ps = conn.prepareStatement("SELECT * FROM user_data WHERE first_name = ? AND last_name = ?");
ps.setString(1, "John");
ps.setString(2, lastName); // Safe: lastName is treated as a literal string
5. Evidence of Work


6. Professional Impact
This project demonstrates my ability to act as a bridge between security testing and software development. By providing evidence-based reports and technical fixes, I ensure the Confidentiality, Integrity, and Availability of the application. My recommendations focus on proactive defense, such as implementing Content Security Policy (CSP) and Parameterized Queries, which provide long-term value by preventing entire classes of vulnerabilities.