LAB EXERCISE-1
1. Make a list of OWASP top 10 vulnerabilities.
A1- Injection
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an
interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter
into executing unintended commands or accessing data without proper authorization.
A2- Broken Authentication and Session Management
Application functions related to authentication and session management are often not
implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or
to exploit other implementation flaws to assume other users’ identities.
A3- Cross Site Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser
without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s
browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
A4- Insecure Direct Object References
A direct object reference occurs when a developer exposes a reference to an internal
implementation object, such as a file, directory, or database key. Without an access control check
or other protection, attackers can manipulate these references to access unauthorized data.
A5- Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the application,
frameworks, application server, web server, database server, and platform. Secure settings should
be defined, implemented, and maintained, as defaults are often insecure. Additionally, software
should be kept up to date.
A6- Sensitive Data Exposure
Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and
authentication credentials. Attackers may steal or modify such weakly protected data to conduct
credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as
encryption at rest or in transit, as well as special precautions when exchanged with the browser.
A7- Missing Function Level Access Control
Most web applications verify function level access rights before making that functionality visible
in the UI. However, applications need to perform the same access control checks on the server
when each function is accessed. If requests are not verified, attackers will be able to forge
requests in order to access functionality without proper authorization.
A8- Cross-Site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including
the victim’s session cookie and any other automatically included authentication information, to a
vulnerable web application. This allows the attacker to force the victim’s browser to generate
requests the vulnerable application thinks are legitimate requests from the victim.
A9- Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, almost always run with
full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data
loss or server takeover. Applications using components with known vulnerabilities may
undermine application defenses and enable a range of possible attacks and impacts.
A10- Invalidated Redirects and Forwards
Web applications frequently redirect and forward users to other pages and websites, and use
untrusted data to determine the destination pages. Without proper validation, attackers can
redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
2. Make a list of tools that are available to scan and report vulnerabilities in
web applications and network.
Tools to scan and report Vulnerabilities in WEB APPLICATION
Web Application Vulnerability Scanners are automated tools that scan web applications,
normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL
Injection, Command Injection, Path Traversal and insecure server configuration. This category of
tools is frequently referred to as Dynamic Application Security Testing (DAST) Tools. A large
number of both commercial and open source tools of this type are available and all of these tools
have their own strengths and weaknesses. Some of them are listed below:-
1. Grabber
Grabber is a nice web application scanner which can detect many security vulnerabilities
in web applications. It is not fast as compared to other security scanners, but it is simple
and portable. This should be used only to test small web applications because it takes too
much time to scan large applications.
2. Vega
Vega is another free open source web vulnerability scanner and testing platform. This
tool is written in Java and offers a GUI based environment.
3. Zed Attack Proxy
This tool is open source and is developed by AWASP. It is available for Windows,
Unix/Linux and Macintosh platforms. This tool is used as a scanner by inputting the URL
to perform scanning, or you can use this tool as an intercepting proxy to manually
perform tests on specific pages.
4. Wapiti
Wapiti is web vulnerability scanner which lets you audit the security of your web
applications. It performs black-box testing by scanning web pages and injecting data
5. W3af
W3af is a popular web application attack and audit framework. This framework aims to
provide a better web application penetration testing platform. It is developed using
Python.
Tools to scan and report Vulnerabilities in NETWORK
Vulnerability scanners can help you automate security auditing and can play a crucial part in
your IT security. They can scan your network and websites for up to thousands of different
security risks, producing a prioritized list of those you should patch, describe the vulnerabilities,
and give steps on how to remediate them. Some of them are listed below-
1. OpenVas
The OpenVAS is the security scanner, which only can run in Linux. It does the actual
work of scanning and receives a feed updated daily of Network Vulnerability Tests
(NVT).
2. Retina
To scan you can choose from a variety of scan and report templates and specify IP range
to scan or use the smart selection function. You can provide any necessary credentials for
scanned assets that require them and choose how you want the report delivered, including
email delivery or alerts.
3. SecureCheq
SecureCheq can perform local scans on Windows desktops and servers, identifying
various insecure advanced Windows settings like defined by CIS, ISO or COBIT
standards. It concentrates on common configuration errors related to OS hardening, data
protection, communication security, user account activity and audit logging.
4. Qualys FreeScan
Qualys FreeScan provides up to 10 free scans of URLs or IPs of Internet facing or local
servers or machines. You initially access it via their web portal and then download their
virtual machine software if running scans on your internal network.
5. Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer (MBSA) can perform local or remote scans on
Windows desktops and servers, identifying any missing service packs, security patches,
and common security misconfigurations.
3. Install Web Goat
WebGoat is a platform independent environment. It utilizes Apache Tomcat and the JAVA
development environment. Installers are provided for Microsoft Windows and UNIX
environments, together with notes for installation on other platforms.
Installing Java and Tomcat
Installing Java
Install and deploy the appropriate version from http://java.sun.com/downloads/ (1.4.1 or later)
Installing Tomcat
Install and deploy core Tomcat from http://tomcat.apache.org/download-55.cgi
Installing to Windows
Unzip WebGoat-OWASP_Standard-5.2.zip to your working environment.
To start Tomcat, browse to the WebGoat directory unzipped above and double click
"webgoat.bat"
Start your browser and browse to: http://localhost/WebGoat/attack. This link is case-sensitive.
LAB EXERCISE-2
4. Write a program in C/C++ using string functions.
#include <stdio.h>
#include <string.h>
int main()
{
char s1[20] = "BeginnersBook";
char s2[20] = "BeginnersBook.COM";
/* below it is comparing first 8 characters of s1 and s2*/
if (strncmp(s1, s2, 8) ==0)
{
printf("string 1 and string 2 are equal");
}else
{
printf("string 1 and 2 are different");
}
return 0;
}
5. Write a program to show problem of Buffer Overflow
#include <stdio.h>
#include <string.h>
int main(void){
char buff[15];
int pass = 0;
printf("\n Enter the password : \n");
gets(buff);
printf(“buff:%s”,buff);
if(strcmp(buff, "theism.tech")) {
printf ("\n Wrong Password \n");}
else{
printf ("\n Correct Password \n");
pass = 1;}
if(pass){
/* Now Give root or admin rights to user*/
printf ("\n Root privileges given to the user \n");}
return 0;}
Output:
6. Write a program to show problem of Stack Overflow.
#pragma check_stack(off)
#include<string.h>
#include<stdio.h>
#include<conio.h>
void foo(const char* input)
{
char buf[5];
printf("My stack looks like:\n%p\n%p\n%p\n%p\n%p\n% p\n\n");
strcpy(buf, input);
printf("%s\n", buf);
printf("Now the stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");
}
void bar(void)
{
printf("Augh! I've been hacked!\n");
}
int main(int argc, char* argv[])
{
char input[100];
printf("Address of foo = %p\n", foo);
printf("Address of bar = %p\n", bar);
printf("enter the input");
scanf("%s",input);
foo(input);
getch();
return 0;
}
Output:
7. Write a program to show without problem of Buffer Overflow
#include <stdio.h>
#include <string.h>
int main(void){
char *str = (char *)malloc(10);// allocate 10 bytes for str
int pass = 0;
printf("\n Enter the password : \n");
fgets (str,15,stdin); // reads input from stdin and store into str
printf(“buff:%s”,buff);
if(strcmp(buff, "theismm.tech")) {
printf ("\n Wrong Password \n");}
else{
printf ("\n Correct Password \n");
pass = 1;}
if(pass){
/* Now Give root or admin rights to user*/
printf ("\n Root privileges given to the user \n");}
return 0;
}
Output:
Enter The password:
TheIsmm.tech
Correct password
Root privileges given to the user
8. Write a program to show without problem of Stack Overflow.
Int recur(int n)
{
If(n<0)
return 0; //termination condition to avoid infinite stack
Else
{
Printf( “%d ”, n);
Recur(n--);
}
}
//main function:
Void main()
{
Int n;
Printf(“enter number”);
Scanf(“%d”,&n);
Recur(n);
}
Output:
Enter number 5
5 4 3 2 1
LAB EXERCISE-3
9. Program to solve the problem of Integer Overflow
#include<stdio.h>
#include<limits.h>
#include<stdlib.h>
int addOvf(int* result, int a, int b)
{
printf("INT_MAX:%d",INT_MAX);
if( a > INT_MAX - b)
return -1;
else
{
*result = a + b;
return 0;
}
}
int main()
{
int *res = (int *)malloc(sizeof(int));
int x = 2147483640;
int y = 10;
printf("\nno addition occured so:%d", addOvf(res, x, y));
printf("\nvalue of result: %d", *res);
getchar();
return 0;
}
Output:
10. Program to solve problem of Format String
int main(int argc, char *argv[])
{
//Variable declaration
char user_input[100];
unsigned int bytes;
clrscr(); /* other variable definitions and statements */
printf("enter the input string");
scanf("%s",user_input); /* getting a string from user */
printf("resultant input");
printf("%s",user_input);//correct specification
getch();
return 0;
}
Output:
LAB EXERCISE-4
11. Make a list of code analysis tools.
1. Covertiy- It performs inter-procedural dataflow analysis and statistical analysis.
2. Fortify- It identifies vulnerability early in the SDLC, hence decreases the cost of fixing. It
acts as a mentor, as it guides the developer regarding security flaws while they work.
3. KlockWork- using this tool, developers can create more secure and reliable application by
analysing source code on-the-fly, simplifying peer code reviews and extending the life of
complex application.
4. PREfast- It is developed by Microsoft as part of major push to improve quality assurance.
PREfast is a lightweight static analysis tool for C++.It only finds bugs within a single procedure
12. Make a list of tools which can be used for penetration testing.
1. Wireshark – Wireshark allows the pentester to put a network interface into a promiscuous
mode and therefore see all traffic. This tool has many features such as being able to capture data
from live network connection or read from a file that saved already-captured packets.
2. Metasploit - Developed by Rapid7 and used by every pentester and ethical hacker in the
world. Period. The Metasploit Project is a security project which delivers information about
security vulnerabilities and helps penetration testing and Intrusion detection.
3. Nmap -Nmap (Network Mapper) is the defacto security scanner which is used to discover
hosts and services on a computer network. To discover hosts on a network Nmap sends specially
built packets to the target host and then analyzes the responses.
4. Nessus - Nessus scans for various types of vulnerabilities: ones that check for holes that
hackers could exploit to gain control or access a computer system or network.
LAB EXERCISE-5
13. Test the application for XSS attacks using various cheat sheets available
on OWASP.
LAB EXERCISE-5
14. Demonstrate SQL injection using WebGoat.
15. Demonstrate command injection using WebGoat.