Purpose
Beginner-friendly, checklist‑driven notes for legal web app security practice. This public repo is meant to be verifiable for applications (e.g., Synack SRT). It documents study progress, methodology, and evidence formats for legal training labs and authorized scopes only.
References I use:
- OWASP Web Security Testing Guide (WSTG): https://owasp.org/www-project-web-security-testing-guide/
- PortSwigger Web Security Academy (WSA): https://portswigger.net/web-security
- LinkedIn: https://www.linkedin.com/in/theodor-eng%C3%B8y-71768328b/
- GitHub: https://github.com/TheodorNEngoy
- Hack The Box (public): https://ctf.hackthebox.com/user/profile/915738
- /checklists — Mini OWASP‑aligned checklists
- /templates — Evidence & report templates
- /notes — Short write‑ups for legal labs only
- /profiles — One file with public links
- Recon (in‑scope only)
- Auth & Session basics (MFA/lockout/cookie flags)
- Access control (IDOR/role checks with authorized test users)
- Input handling (harmless payloads to observe validation)
- CSRF on state changes
- Security headers (HSTS, CSP, XFO, Referrer‑Policy)
- Business logic checks
- Evidence for every check (positive and negative)
Negative check: Login rate‑limit → expect 429 after N attempts (screenshot + HTTP).
Positive (training): IDOR by changing an ID → data exposure (repro + HTTP, sanitized).
| Date | Activity | Source | URL | Notes |
|---|---|---|---|---|
| 2025‑10‑12 | Getting started path | WSA | https://portswigger.net/web-security/getting-started | Intercept/Repeater basics |
| 2025‑10‑13 | Auth labs (intro) | WSA | https://portswigger.net/web-security/authentication | |
| 2025‑10‑15 | CSRF basics | WSA | https://portswigger.net/web-security/csrf | |
| 2025‑10‑16 | WSTG skim | OWASP | https://owasp.org/www-project-web-security-testing-guide/ | headings only |
Only legal training targets (WSA/HTB/THM, etc.) or assets with explicit permission. Never test outside scope.
MIT — See LICENSE.