Web Application Security Education Platform Based on OWASP API Security Project

  • Muhammad Idris Department of Information and Computer Engineering, Politeknik Elektronika Negeri Surabaya, Indonesia
  • Iwan Syarif Department of Information and Computer Engineering Politeknik Elektronika Negeri Surabaya, Indonesia
  • Idris Winarno Department of Information and Computer Engineering Politeknik Elektronika Negeri Surabaya, Indonesia
Keywords: API Security, OWASP, CTF, Risk Rating, Container


The trend of API-based systems in web applications in the last few years keeps steadily growing. API allows web applications to interact with external systems to enable business-to-business or system-to-system integration which leads to multiple application innovations.  However, this trend also comes with a different surface of security problems that can harm not only web applications, but also mobile and IoT applications.  This research proposed a web application security education platform which is focused on the OWASP API security project. This platform provides different security risks such as excessive data exposure, lack of resources and rate-limiting, mass assignment, and improper asset management which cannot be found in monolithic security learning application like DVWA, WebGoat, and Multillidae II. The development also applies several methodologies such as Capture-The-Flag (CTF) learning model, vulnerability assessment, and container virtualization. Based on our experiment, we are successfully providing 10 API vulnerability challenges to the platform with 3 different levels of severity risk rating which can be exploited using tools like Burp Suite, SQLMap, and JWTCat.  In the end, based on our performance experiment, all of the containers on the platform can be deployed in approximately 16 seconds with minimum storage resource and able to serve up to 1000 concurrent users with the average throughput of 50.58 requests per second, 96.35% successful requests, and 15.94s response time.


Download data is not yet available.


2021 State of the API Report [Internet], Postman, 2021 [cited 23 March 2022], Available from: https://www.postman.com/state-of-api/.

API Security Trends [Internet], Salt.security, 2021 [cited 23 November 2021], Available from: https://salt.security/api-security-trends.

Hussain F, Hussain R, Noye B, Sharieh S. Enterprise API Security, and GDPR Compliance: Design and Implementation Perspective. IT Professional, vol. 22, no. 5, pp. 81-89, 2020. DOI: https://doi.org/10.1109/MITP.2020.2973852

UU No. 19 Tahun 2016 [Internet], Kominfo, 2022 [cited 23 March 2022], Available from: https://web.kominfo.go.id.

Conte de Leon D, Goes CE, Haney MA, Krings AW. Adles: Specifying, deploying, and sharing hands-on cyber-exercises. Computers & Security, vol. 74, pp. 12–40, 2018. DOI: https://doi.org/10.1016/j.cose.2017.12.007

OWASP API Security - Top 10 [Internet], OWASP, 2019 [cited 23 March 2022], Available from: https://owasp.org/www-project-api-security/.

Shin S, Seto Y, Kasai Y, Ka R, Kuroki D, Toyoda S et al. Development of Training System and Practice Contents for Cybersecurity Education. 2019 8th International Congress on Advanced Applied Informatics (IIAI-AAI), pp. 172-177, 2019. DOI: https://doi.org/10.1109/IIAI-AAI.2019.00043

Su J, Cheng M, Wang X, Tseng S. A Scheme to Create Simulated Test Items for Facilitating the Assessment in Web Security Subject, Twelfth International Conference on Ubi-Media Computing (Ubi-Media), pp. 306-309, 2019. DOI: https://doi.org/10.1109/Ubi-Media.2019.00067

Ping C, Jinshuang W, Lanjuan Y, Lin P. SQL Injection Teaching Based on SQLi-labs. 2020 IEEE 3rd International Conference on Information Systems and Computer Aided Education (ICISCAE), pp. 191-195, 2020. DOI: https://doi.org/10.1109/ICISCAE51034.2020.9236904

Lehrfeld M, Guest P. Building an ethical hacking site for learning and student engagement, SoutheastCon 2016, pp.1-6, 2016. DOI: https://doi.org/10.1109/SECON.2016.7506746

Oh S, Stickney N, Hawthorne D, and Matthews S. Teaching Web-Attacks on a Raspberry Pi Cyber Range, Proceedings of the 21st Annual Conference on Information Technology Education, pp. 324-329, 2020. DOI: https://doi.org/10.1145/3368308.3415364

Mansurov A. A CTF-Based Approach in Information Security Education: An Extracurricular Activity in Teaching Students at Altai State University, Russia. Modern Applied Science, 2016. DOI: https://doi.org/10.5539/mas.v10n11p159

Aziz N, Shamsuddin S, Hassan N. Inculcating Secure Coding for beginners. 2016 International Conference on Informatics and Computing (ICIC), pp. 164-168, 2016. DOI: https://doi.org/10.1109/IAC.2016.7905709

Baş Seyyar M, Çatak F, Gül E. Detection of attack-targeted scans from the Apache HTTP Server access logs. Applied Computing and Informatics, vol. 14, no. 1, pp. 28-36. 2018. DOI: https://doi.org/10.1016/j.aci.2017.04.002

Kritikos K, Magoutis K, Papoutsakis M, Ioannidis S. A survey on vulnerability assessment tools and databases for cloud-based web applications. Array, vol. 3-4, pp. 100011, 2019. DOI: https://doi.org/10.1016/j.array.2019.100011

Priyanka A, Smruthi S. Web Application Vulnerabilities: Exploitation and Prevention. 2020 Second International Conference on Inventive Research in Computing Applications (ICIRCA), pp. 729-734, 2020. DOI: https://doi.org/10.1109/ICIRCA48905.2020.9182928

Amankwah R, Chen J, Kudjo P, Towey D. An empirical comparison of commercial and open‐source web vulnerability scanners. Software: Practice and Experience, vol. 50, no. 9, pp. 1842-1857, 2020. DOI: https://doi.org/10.1002/spe.2870

Saleem S, Sheeraz M, Hanif M, Farooq U. Web Server Attack Detection using Machine Learning. 2020 International Conference on Cyber Warfare and Security (ICCWS), pp. 1-7. 2020. DOI: https://doi.org/10.1109/ICCWS48432.2020.9292393

Steiner S, de Leon D, Jillepalli A. Hardening web applications using a least privilege DBMS access model. Proceedings of the Fifth Cybersecurity Symposium, Article 4, pp. 1–6, 2018. DOI: https://doi.org/10.1145/3212687.3212863

Alazmi S, De Leon D. A Systematic Literature Review on the Characteristics and Effectiveness of Web Application Vulnerability Scanners. IEEE Access, vol. 10, pp. 33200-33219, 2022. DOI: https://doi.org/10.1109/ACCESS.2022.3161522

Rangnau T, Buijtenen R, Fransen F, Turkmen F. Continuous Security Testing: A Case Study on Integrating Dynamic Security Testing Tools in CI/CD Pipelines. 2020 IEEE 24th International Enterprise Distributed Object Computing Conference (EDOC), pp. 145-154, 2020. DOI: https://doi.org/10.1109/EDOC49727.2020.00026

Yang J, Tan L, Peyton J, A Duer K. Towards Better Utilizing Static Application Security Testing. 2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), pp. 51-60, 2019. DOI: https://doi.org/10.1109/ICSE-SEIP.2019.00014

Chen P, Zhao M, Wang J, Yu H. Exploration and practice of the experiment teaching of web application security course. 2019 10th International Conference on Information Technology in Medicine and Education (ITME). 2019. DOI: https://doi.org/10.1109/ITME.2019.00092

Ofoeda J, Boateng R, Effah J. Application Programming Interface (API) Research. International Journal of Enterprise Information Systems, vol. 15, no. 3, pp. 76-95, 2019. DOI: https://doi.org/10.4018/IJEIS.2019070105

Kuzminykh I, Ghita B, Sokolov V, Bakhshi T. Information security risk assessment. Encyclopedia, vol. 1, no. 3, pp. 602–17, 2021. DOI: https://doi.org/10.3390/encyclopedia1030050

OWASP Risk Rating Methodology [Internet]. OWASP, 2015 [cited 25 March 2022]. Available from: https://owasp.org/www-community/OWASP_Risk_Rating_Methodology.

How to Cite
Idris, M., Syarif, I., & Winarno, I. (2022). Web Application Security Education Platform Based on OWASP API Security Project. EMITTER International Journal of Engineering Technology, 10(2), 246-261. https://doi.org/10.24003/emitter.v10i2.705