Cyber Security Interns Manual

Cybersecurity Internship Manual – Beginner

Guide
Project: Strengthening Security Measures for a Web Application

WEEK 1 – SECURITY ASSESSMENT

GOAL: Understand the Application and Identify Vulnerabilities

Step 1: Set Up the Web Application

1.1 – Choose a Mock Web Application

• Open GitHub.com
• In the search bar, type: simple user management system node.js
• Find a project with:
• Backend: Node.js & Express
• Frontend: HTML/CSS or React (optional)
• Pages: Login, Signup, Profile/Dashboard

Example Repo: https://github.com/rahulbanerjee26/nodejs-user-authentication

1.2 – Download and Run the Application

1. Open Terminal or Command Prompt

2. Clone the project:

git clone <project-link>

3. Go to project folder:

cd <project-folder>

4. Install required packages:

npm install

5. Start the application:

npm start

1
 6. Open browser and visit:

http://localhost:3000

Step 2: Explore the Application

Use the app like a normal user: - Sign up with a fake email/password - Try logging in - Access your
profile/dashboard

Observe how the app behaves when: - You enter invalid input - You refresh after login - You manipulate
the URL (e.g., try localhost:3000/admin if it exists)

Step 3: Perform Vulnerability Testing

A. Install OWASP ZAP

• Download from: https://www.zaproxy.org/download/

• Install and open ZAP
• Use it as a proxy scanner:
• Configure your browser to route traffic through ZAP
• Visit your app ( localhost:3000 )
• ZAP will scan all visited pages and list issues such as:
◦ XSS
◦ CSRF
◦ Missing HTTP headers

B. Check for XSS (Cross-Site Scripting)

1. Go to a text input (e.g., bio, comments, name)

2. Type:

<script>alert('XSS')</script>

3. Click submit
4. If a popup appears, the site is vulnerable to XSS

C. Check for SQL Injection

1. Go to login page
2. Enter:

Username: admin' OR '1'='1

Password: admin' OR '1'='1

3. If it logs you in, the site is vulnerable to SQL Injection

2
D. Check Password Storage

1. Open the project code

2. Locate the file where user data is stored (commonly userModel.js )
3. Check:
4. Are passwords saved directly in the database?
5. If yes, this is a serious security issue

Step 4: Document Your Findings

Create a document like this:

Week 1 – Security Assessment Report

1. Issues Found:
- XSS on signup form
- SQL injection on login
- Passwords stored in plain text
- No input validation

2. Suggested Fixes:
- Sanitize user inputs
- Use bcrypt for password hashing
- Use helmet for security headers
- Add input validation

3. Tools Used:
- OWASP ZAP
- Chrome Dev Tools

Your Name

WEEK 2 – IMPLEMENTING SECURITY MEASURES

GOAL: Fix the identified vulnerabilities

Step 1: Sanitize and Validate Inputs

1.1 – Install validator

npm install validator

3
1.2 – Update Your Code

In routes/signup.js or where you handle signup:

const validator = require('validator');

if (!validator.isEmail(email)) {
return res.status(400).send('Invalid email');
}

if (!validator.isLength(password, { min: 8 })) {

return res.status(400).send('Password too short');
}

Step 2: Hash Passwords with bcrypt

2.1 – Install bcrypt

npm install bcrypt

2.2 – Modify Signup Code

const bcrypt = require('bcrypt');

const hashedPassword = await bcrypt.hash(password, 10);
// Save hashedPassword to DB

2.3 – Modify Login Code

const isMatch = await bcrypt.compare(password, user.password);

if (!isMatch) {
return res.status(401).send('Invalid credentials');
}

Step 3: Implement JWT Authentication

3.1 – Install jsonwebtoken

npm install jsonwebtoken

4
3.2 – In Login Route

const jwt = require('jsonwebtoken');

const token = jwt.sign({ id: user._id }, 'your-secret-key', { expiresIn:

'1h' });

res.send({ token });

Step 4: Secure HTTP Headers

4.1 – Install Helmet

npm install helmet

4.2 – Use Helmet in app.js

const helmet = require('helmet');

app.use(helmet());

WEEK 3 – ADVANCED SECURITY AND FINAL REPORTING

GOAL: Simulate attacks, set up logging, and document all work

Step 1: Simulate Attacks with Nmap (Optional)

1. Download Nmap from: https://nmap.org

2. Run:

nmap -sV localhost

Step 2: Add Logging with Winston

2.1 – Install Winston

npm install winston

5
2.2 – Create logger.js

const winston = require('winston');

const logger = winston.createLogger({

transports: [
new winston.transports.Console(),
new winston.transports.File({ filename: 'security.log' })
]
});

module.exports = logger;

2.3 – Use Logger in Routes

const logger = require('./logger');

logger.info('User logged in');

logger.warn('Suspicious activity detected');

Step 3: Prepare a Security Checklist

Create a file called checklist.txt or checklist.md

✓ All inputs validated

✓ Passwords hashed using bcrypt
✓ JWT implemented for authentication
✓ Helmet used for headers
✓ Logging enabled with Winston
✓ SQL Injection tested
✓ XSS vulnerabilities removed

Step 4: Final Submission

A. Video Explanation

• Use OBS or a screen recorder

• Record your voice and screen while:
• Showing vulnerabilities
• Showing how you fixed them
• Demonstrating the secure app

6
B. GitHub Repository

• Upload:
• Complete code
• README.md with explanation
• security.log
• assessment_report.pdf
• checklist.md

C. Final Report

Include: - Summary of all 3 weeks - Screenshots - Explanation of fixes - Tools used - Challenges and
learnings

END OF GUIDE