learntodriveai.dev/Cybersecurity/Web and API Exploitation + Vulnerability Scanning + CIS Benchmarks
Cybersecurity·Project 05·9 units

Web and API Exploitation + Vulnerability Scanning + CIS Benchmarks

**Track:** Cybersecurity

§ Brief

You're assessing a winery's online platform in Bulgaria's Thracian Valley — a consumer ordering website and a REST API used by 12 restaurant partners for wholesale orders. Two attack surfaces, one engagement.

The discipline skills: vulnerability scanning with ZAP and Nuclei, exploit chaining, JWT tampering, API exploitation (BOLA, mass assignment), applying CIS Benchmarks and OWASP ASVS, authoring a STRIDE threat model from the business brief without a template, and combining CVSS with EPSS for remediation prioritization.

The AI-direction lesson: what you feed AI determines what AI produces. Including the full reconnaissance profile, specific log formats, and the current Sigma rule set in your session produces measurably better detection rules than typing "write a detection rule." Excluding irrelevant context matters too — AI that receives everything attends to nothing well. This project is where context curation becomes a deliberate practice: deciding what to include, what to exclude, and when to start a fresh session because the current one has degraded.

Your Role

You are assessing two attack surfaces: the consumer web platform and the restaurant API. A web form and an API are architecturally different targets — different tools, different vulnerabilities, different remediation patterns.

The STRIDE threat model template is gone. You author the model yourself from the business brief and your own reconnaissance. You decide which ATT&CK techniques to test based on what you find.

What's New

Last time you exploited network services with Metasploit, wrote Sigma rules from scratch, designed Alloy labels, built your first threat model from a template, and used CVSS for prioritisation. You know the assessment layers connect and that skipping one weakens the rest.

Vulnerability scanning. ZAP and Nuclei produce severity-rated findings, but not every "High" finding is real. Some are false positives. Scanner output is a hypothesis, not a conclusion. The professional skill is triage — separating confirmed findings from noise.

API exploitation. The restaurant API has different vulnerabilities than the web forms. BOLA, mass assignment, and JWT tampering are authorisation architecture flaws, not input validation failures. AI applies web exploitation techniques to APIs and misses the structural difference.

CIS Benchmarks and OWASP ASVS. Formal compliance frameworks replace ad-hoc hardening. Not every benchmark item applies to every system. Your job is interpreting which items matter — and compliance language makes your recommendations carry more weight.

The hard part is that each surface requires a different approach. The payload that works against a web form fails against an API. The detection rule that catches web exploitation misses API attacks. The remediation pattern for input validation does not fix an authorisation flaw. Understanding the terrain before you move determines everything downstream.

Tools

  • ZAP — web application vulnerability scanner. New.
  • Nuclei — template-based vulnerability scanner. New.
  • ffuf — directory and content discovery. New.
  • Juice Shop — modern web application with API endpoints. New target.
  • DVWA (Medium/High) — web application at higher difficulty. Continuing at raised difficulty.
  • Nmap — network scanning. Continuing.
  • Grafana/Loki — log viewing and dashboard refinement. Continuing.
  • Alloy — log collection pipeline. Continuing.
  • pySigma — Sigma rule conversion. Continuing.
  • Docker — running the applications and monitoring stack.
  • Claude Code — AI agent directing all tool execution.
  • Git/GitHub — version control and project submission.

Materials

  • Scope document — assessment boundaries covering the consumer platform, restaurant API, monitoring stack, and Docker infrastructure.
  • CIS Docker Benchmark reference — curated subset of benchmark items relevant to the lab environment.
  • OWASP ASVS reference — curated Level 1 requirements for the web platform and API.
  • Report template — assessment report structure with API findings, exploit chains, EPSS/CVSS dual-scoring, and compliance mapping sections.
  • Docker environment — Juice Shop, DVWA, Grafana, Loki, and Alloy running in containers.