DEMONSTRATION OF SOCIAL ENGINEERING ATTACKS &

OWASP VULNERABILITY

A PROJECT REPORT
for

CSE3502 – INFORMATION SECURITY MANAGEMENT

in

M.Tech (Integrated) Software Engineering

by

ANANTHA CAUVERY M (20MIS0122)

Under the Guidance of

DR. SIVA RAMA KRISHNAN S

Associate Professor, SCORE

School of Computer Science Engineering and InformationSystems (SCORE)

April, 2024
ABSTRACT:
This project aims to explore and demonstrate the vulnerabilities associated with social
engineering and the Open Web Application Security Project (OWASP) standards. Social
engineering is a technique employed by malicious actors to manipulate individuals into
divulging sensitive information or taking actions that compromise security goals. This project
will provide a comprehensive overview of various social engineering techniques, such as
phishing, Vishing.

Apparently, this project will delve into the vulnerabilities outlined by the OWASP, focusing on
web application security issues that could be exploited by attackers. The Open Web Application
Security Project is a widely recognized framework that identifies and mitigates common
security risks in web applications.

Through practical demonstrations, this project intends to raise awareness about the importance
of cybersecurity and highlight the potential risks associated with both social engineering and
OWASP vulnerabilities. By understanding these threats, individuals and organizations can take
proactive measures to enhance their security and safeguard against cyber-attacks.

INTRODUCTION:
In this project, OWASP Vulnerability and Social Engineering Attacks demonstrations are done.
The OWASP top 10 attacks are Broken Authentication and Session Management attacks,
Security Misconfiguration, Cross-Site Scripting (XSS), Injection – SQL Injection, Insecure
Direct Object References (IDOR), Cross-Site Request Forgery (CSRF), Insecure
Cryptographic Storage, Failure to Restrict URL Access, Insufficient Transport Layer Protection
and Unvalidated Redirects and Forwards.

These attacks were implemented using several tools in Kali. XSSer tool for XSS attack. Cross
Site “Scripter” (aka PwnXSS) is an automatic-framework to detect, exploit and report XSS
vulnerabilities in web-based applications.

The term "Social Engineering" - "social" refers to personal, professions, and our day-in-day-
out lives. On the other hand, "engineering" involves comprehensive processes to complete a
work such that the defined goal is met. When social and engineering is combined, we get social
engineering, which involves intrusion based on human interaction. It is a non-technical
intrusion in which a person is often tricked into breaking the general security guidelines already
set in an institution.
 Social engineering toolkit is a free and open-source tool which is used for social engineering
attacks like phishing, sending SMS, faking phone, etc. It is a free tool that comes with Kali
Linux, or we can download and install it directly from Github. Security researchers and
penetration testers use this tool to check cybersecurity issues in systems all over the world. The
goal of the social engineering toolkit is to perform attacking techniques on their machines. This
toolkit also includes website vector attacks and custom vector attacks, which allow us to clone
any website, perform phishing attacks.

Maltego is a comprehensive tool for graphical link analyses that offers real-time data mining
and information gathering, as well as the representation of this information on a node-based
graph, making patterns and multiple order connections between said information easily
identifiable. With Maltego, you can easily mine data from dispersed sources, automatically
merge matching information in one graph, and visually map it to explore your data landscape.

LITERATURE SURVEY:

Sl.No Paper Title Authors Attacks Methodology Limitations

implemented used
1 Social Engineering Lysenko, S., Phishing attacks, Decision Trees, Detection approaches
Attacks Detection Vorobiov, V., Diversion theft attacks, Random Forest, K- rely on matching attacks
Reverse social Nearest Neighbors, with known signatures or
Approach Bokhonko, O.,
engineering, and Extreme patterns, making them
Gaj, P., Authoritative voice Gradient Boosting ineffective against zero-
Savenko, O., & attacks, Spying attacks, day attacks or previously
Technical social undocumented attacks.
Wołoszyn, J.
engineering attacks

2 Social engineering Salama, R., Al- Baiting Attacks, DNS spoofing, Doesn't mention other
attack types and Turjman, F., Physical Breach scareware attacks, types of cyber attacks
Attacks, Quid Attacks and mail malware
prevention Bhatia, S., &
Pro Attacks, DNS
techniques - A Yadav, S. P. Spoofing, Scareware
survey Attacks, Phishing
attacks

3 Social Engineering Arabia- Human-Based Attacks, Investigation of Countermeasures and

Attacks A Obedoza, M. Technology-Based Social Engineering defense strategies may
Attacks Attacks, Distillation not be universally
Reconnaissance R., Rodriguez,
of Selected Studies, effective for all types of
Synthesis Analysis G., Johnston, Reconnaissance social engineering
A., Salahdine, Synthesis Analysis attacks or targets. There
is no one-size-fits-all
F., &
solution for combating
Kaabouch, N.
 social engineering
attacks.

4 Underlying Finite Mouton, F., Social Engineering Initial SEADM Generalization

State Machine for Nottingham, Attack, psychological Design, Finite State Limitation, Detection
the Social A., Leenen, L., vulnerabilities Machine Accuracy
Engineering Attack & Venter, H. S. Representation, State
Detection Model Analysis
5 Mitigating Social Osuagwu, E. Pretexting, Phishing, Social Engineering Empirical Evidence, may
Engineering for U., Spear Phishing, Scenarios, Social not address cultural or
Spoofing, Trojan Horse, regional differences in
Improved Chukwudebe, Engineering Attacks
Dumpster Diving, social engineering tactics
Cybersecurity G. A., Salihu, Shoulder Surfing and responses.
T., &
Chukwudebe,
V. N.
6 Vulnerability Qaderi, M., SQL Injection, Cross- Utilizing XAMPP to The study conducted 6
Detection And Sinha, G., & Site Scripting (XSS), host the web security tests focusing on
application. authentication, session
Security Sinha, D. K. Denial of Server,
Executing Kali Linux management, input
Enhancing Using Password Cracking, tools like SQLMAP validation, and output
XAMPP, OWASP Buffer Overflow for exploitation. manipulation. 26
vulnerabilities were
and DVWA
identified with varying
risk levels.

7 Customizing Alazmi, S., & SQL Injection, Cross- Installation of two Net sparker scanned 26
OWASP ZAP: A de Leon, D. C. Site Scripting (XSS), machines within a vulnerabilities listed in
DVWA application. The
Proven Method for Denial of Server, virtual box. Use of
need for more secure
Detecting SQL Password Cracking, XAMPP Controller to web applications to
Injection Buffer Overflow open the website. Use remove identified
vulnerabilities.
Vulnerabilities of Net sparker to find
vulnerabilities.
8 Security Lathifah, A., Phishing, Malware Deep learning-based Lack of interpretability in
Vulnerability Amri, F. B., & classification models, Explainable AI-based models, making
it challenging to
Analysis of the Rosidah, A. AI (XAI) techniques
understand their
Sharia decision-making process.
Crowdfunding Potential false positives
leading to alert fatigue
Website Using
for security operators,
OWASP-ZAP Security vulnerabilities
in XAI pipelines.
9 Testing and Aljabri, M., Phishing, Malware Common techniques Difficult to detect
Exploiting Tools to Aldossary, M., classification, Intrusion include spoofing sophisticated phishing
legitimate domains
Improve OWASP Al-Homeed, Detection attacks. May struggle
and social
Top Ten Security N., Alhetelah, engineering, rule- with zero-day or
Vulnerabilities B., Althubiany, based systems, polymorphic malware.
anomaly detection,
Detection M., Alotaibi, May miss novel attack
and machine learning.
O., & Alsaqer, patterns.
S.
10 Automatic repair Marchand- OWASP Top 10 Classification, Inadequate Test Suites,
of OWASP Top 10 Melsom, A., & Vulnerabilities Performance and Lack of Multiple
security Nguyen Mai, Reliability Vulnerability Coverage
vulnerabilities: A D. B. Assessment
survey

IMPLEMENTATION:

Credential Harvester Attack:

We can able to see the username and password entered by user in the above image.

Website Cloning:
Social Engineering attack for QR code generator:
Change directory to /root/.set/reports
Give ls and type cp qrcode_attack.png /root/Desktop
Upon scanning this QR, the clone facebook login page will be appeared.
Cross-site scripting Attack:
This tool helps us to examine any web application being vulnerable to XSS attack.