Cyber Security Interns Manual
Cybersecurity Internship Manual – Beginner
Guide
Project: Strengthening Security Measures for a Web Application
WEEK 1 – SECURITY ASSESSMENT
GOAL: Understand the Application and Identify Vulnerabilities
Step 1: Set Up the Web Application
1.1 – Choose a Mock Web Application
• Open GitHub.com
• In the search bar, type: simple user management system node.js
• Find a project with:
• Backend: Node.js & Express
• Frontend: HTML/CSS or React (optional)
• Pages: Login, Signup, Profile/Dashboard
Example Repo: https://github.com/rahulbanerjee26/nodejs-user-authentication
1.2 – Download and Run the Application
1. Open Terminal or Command Prompt
2. Clone the project:
git clone <project-link>
3. Go to project folder:
cd <project-folder>
4. Install required packages:
npm install
5. Start the application:
npm start
1
� 6. Open browser and visit:
http://localhost:3000
Step 2: Explore the Application
Use the app like a normal user: - Sign up with a fake email/password - Try logging in - Access your
profile/dashboard
Observe how the app behaves when: - You enter invalid input - You refresh after login - You manipulate
the URL (e.g., try localhost:3000/admin if it exists)
Step 3: Perform Vulnerability Testing
A. Install OWASP ZAP
• Download from: https://www.zaproxy.org/download/
• Install and open ZAP
• Use it as a proxy scanner:
• Configure your browser to route traffic through ZAP
• Visit your app ( localhost:3000 )
• ZAP will scan all visited pages and list issues such as:
◦ XSS
◦ CSRF
◦ Missing HTTP headers
B. Check for XSS (Cross-Site Scripting)
1. Go to a text input (e.g., bio, comments, name)
2. Type:
<script>alert('XSS')</script>
3. Click submit
4. If a popup appears, the site is vulnerable to XSS
C. Check for SQL Injection
1. Go to login page
2. Enter:
Username: admin' OR '1'='1
Password: admin' OR '1'='1
3. If it logs you in, the site is vulnerable to SQL Injection
2
�D. Check Password Storage
1. Open the project code
2. Locate the file where user data is stored (commonly userModel.js )
3. Check:
4. Are passwords saved directly in the database?
5. If yes, this is a serious security issue
Step 4: Document Your Findings
Create a document like this:
Week 1 – Security Assessment Report
1. Issues Found:
- XSS on signup form
- SQL injection on login
- Passwords stored in plain text
- No input validation
2. Suggested Fixes:
- Sanitize user inputs
- Use bcrypt for password hashing
- Use helmet for security headers
- Add input validation
3. Tools Used:
- OWASP ZAP
- Chrome Dev Tools
Your Name
WEEK 2 – IMPLEMENTING SECURITY MEASURES
GOAL: Fix the identified vulnerabilities
Step 1: Sanitize and Validate Inputs
1.1 – Install validator
npm install validator
3
�1.2 – Update Your Code
In routes/signup.js or where you handle signup:
const validator = require('validator');
if (!validator.isEmail(email)) {
return res.status(400).send('Invalid email');
}
if (!validator.isLength(password, { min: 8 })) {
return res.status(400).send('Password too short');
}
Step 2: Hash Passwords with bcrypt
2.1 – Install bcrypt
npm install bcrypt
2.2 – Modify Signup Code
const bcrypt = require('bcrypt');
const hashedPassword = await bcrypt.hash(password, 10);
// Save hashedPassword to DB
2.3 – Modify Login Code
const isMatch = await bcrypt.compare(password, user.password);
if (!isMatch) {
return res.status(401).send('Invalid credentials');
}
Step 3: Implement JWT Authentication
3.1 – Install jsonwebtoken
npm install jsonwebtoken
4
�3.2 – In Login Route
const jwt = require('jsonwebtoken');
const token = jwt.sign({ id: user._id }, 'your-secret-key', { expiresIn:
'1h' });
res.send({ token });
Step 4: Secure HTTP Headers
4.1 – Install Helmet
npm install helmet
4.2 – Use Helmet in app.js
const helmet = require('helmet');
app.use(helmet());
WEEK 3 – ADVANCED SECURITY AND FINAL REPORTING
GOAL: Simulate attacks, set up logging, and document all work
Step 1: Simulate Attacks with Nmap (Optional)
1. Download Nmap from: https://nmap.org
2. Run:
nmap -sV localhost
Step 2: Add Logging with Winston
2.1 – Install Winston
npm install winston
5
�2.2 – Create logger.js
const winston = require('winston');
const logger = winston.createLogger({
transports: [
new winston.transports.Console(),
new winston.transports.File({ filename: 'security.log' })
]
});
module.exports = logger;
2.3 – Use Logger in Routes
const logger = require('./logger');
logger.info('User logged in');
logger.warn('Suspicious activity detected');
Step 3: Prepare a Security Checklist
Create a file called checklist.txt or checklist.md
✓ All inputs validated
✓ Passwords hashed using bcrypt
✓ JWT implemented for authentication
✓ Helmet used for headers
✓ Logging enabled with Winston
✓ SQL Injection tested
✓ XSS vulnerabilities removed
Step 4: Final Submission
A. Video Explanation
• Use OBS or a screen recorder
• Record your voice and screen while:
• Showing vulnerabilities
• Showing how you fixed them
• Demonstrating the secure app
6
�B. GitHub Repository
• Upload:
• Complete code
• README.md with explanation
• security.log
• assessment_report.pdf
• checklist.md
C. Final Report
Include: - Summary of all 3 weeks - Screenshots - Explanation of fixes - Tools used - Challenges and
learnings
END OF GUIDE
