LAB EXERCISE-1

1. Make a list of OWASP top 10 vulnerabilities.

A1- Injection

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an

interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter

into executing unintended commands or accessing data without proper authorization.

A2- Broken Authentication and Session Management

Application functions related to authentication and session management are often not

implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or

to exploit other implementation flaws to assume other users’ identities.

A3- Cross Site Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser

without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s

browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A4- Insecure Direct Object References

A direct object reference occurs when a developer exposes a reference to an internal

implementation object, such as a file, directory, or database key. Without an access control check

or other protection, attackers can manipulate these references to access unauthorized data.

A5- Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application,

frameworks, application server, web server, database server, and platform. Secure settings should

be defined, implemented, and maintained, as defaults are often insecure. Additionally, software

should be kept up to date.

A6- Sensitive Data Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and

authentication credentials. Attackers may steal or modify such weakly protected data to conduct

credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as

encryption at rest or in transit, as well as special precautions when exchanged with the browser.

A7- Missing Function Level Access Control

Most web applications verify function level access rights before making that functionality visible

in the UI. However, applications need to perform the same access control checks on the server

when each function is accessed. If requests are not verified, attackers will be able to forge

requests in order to access functionality without proper authorization.

A8- Cross-Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including

the victim’s session cookie and any other automatically included authentication information, to a

vulnerable web application. This allows the attacker to force the victim’s browser to generate

requests the vulnerable application thinks are legitimate requests from the victim.

A9- Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with

full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data

loss or server takeover. Applications using components with known vulnerabilities may

undermine application defenses and enable a range of possible attacks and impacts.

A10- Invalidated Redirects and Forwards

Web applications frequently redirect and forward users to other pages and websites, and use

untrusted data to determine the destination pages. Without proper validation, attackers can

redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

2. Make a list of tools that are available to scan and report vulnerabilities in

web applications and network.

Tools to scan and report Vulnerabilities in WEB APPLICATION

Web Application Vulnerability Scanners are automated tools that scan web applications,

normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL

Injection, Command Injection, Path Traversal and insecure server configuration. This category of

tools is frequently referred to as Dynamic Application Security Testing (DAST) Tools. A large

number of both commercial and open source tools of this type are available and all of these tools

have their own strengths and weaknesses. Some of them are listed below:-

1. Grabber

Grabber is a nice web application scanner which can detect many security vulnerabilities

in web applications. It is not fast as compared to other security scanners, but it is simple

and portable. This should be used only to test small web applications because it takes too

much time to scan large applications.

2. Vega

Vega is another free open source web vulnerability scanner and testing platform. This

tool is written in Java and offers a GUI based environment.

3. Zed Attack Proxy

This tool is open source and is developed by AWASP. It is available for Windows,

Unix/Linux and Macintosh platforms. This tool is used as a scanner by inputting the URL

to perform scanning, or you can use this tool as an intercepting proxy to manually

perform tests on specific pages.

4. Wapiti

Wapiti is web vulnerability scanner which lets you audit the security of your web

applications. It performs black-box testing by scanning web pages and injecting data

5. W3af

W3af is a popular web application attack and audit framework. This framework aims to

provide a better web application penetration testing platform. It is developed using

Python.

Tools to scan and report Vulnerabilities in NETWORK

Vulnerability scanners can help you automate security auditing and can play a crucial part in

your IT security. They can scan your network and websites for up to thousands of different

security risks, producing a prioritized list of those you should patch, describe the vulnerabilities,

and give steps on how to remediate them. Some of them are listed below-

1. OpenVas

The OpenVAS is the security scanner, which only can run in Linux. It does the actual

work of scanning and receives a feed updated daily of Network Vulnerability Tests

(NVT).

2. Retina

To scan you can choose from a variety of scan and report templates and specify IP range

to scan or use the smart selection function. You can provide any necessary credentials for

scanned assets that require them and choose how you want the report delivered, including

email delivery or alerts.

3. SecureCheq

SecureCheq can perform local scans on Windows desktops and servers, identifying

various insecure advanced Windows settings like defined by CIS, ISO or COBIT

standards. It concentrates on common configuration errors related to OS hardening, data

protection, communication security, user account activity and audit logging.

4. Qualys FreeScan

Qualys FreeScan provides up to 10 free scans of URLs or IPs of Internet facing or local

servers or machines. You initially access it via their web portal and then download their

virtual machine software if running scans on your internal network.

5. Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) can perform local or remote scans on

Windows desktops and servers, identifying any missing service packs, security patches,

and common security misconfigurations.

3. Install Web Goat

WebGoat is a platform independent environment. It utilizes Apache Tomcat and the JAVA

development environment. Installers are provided for Microsoft Windows and UNIX

environments, together with notes for installation on other platforms.

Installing Java and Tomcat

Installing Java

Install and deploy the appropriate version from http://java.sun.com/downloads/ (1.4.1 or later)

Installing Tomcat

Install and deploy core Tomcat from http://tomcat.apache.org/download-55.cgi

Installing to Windows

Unzip WebGoat-OWASP_Standard-5.2.zip to your working environment.

To start Tomcat, browse to the WebGoat directory unzipped above and double click

"webgoat.bat"

Start your browser and browse to: http://localhost/WebGoat/attack. This link is case-sensitive.

LAB EXERCISE-2

4. Write a program in C/C++ using string functions.

#include <stdio.h>

#include <string.h>

int main()

{

char s1[20] = "BeginnersBook";

char s2[20] = "BeginnersBook.COM";

/* below it is comparing first 8 characters of s1 and s2*/

if (strncmp(s1, s2, 8) ==0)

{

printf("string 1 and string 2 are equal");

}else

{

printf("string 1 and 2 are different");

}

return 0;

}

5. Write a program to show problem of Buffer Overflow

#include <stdio.h>

#include <string.h>

int main(void){

char buff[15];

int pass = 0;

printf("\n Enter the password : \n");

gets(buff);

printf(“buff:%s”,buff);

if(strcmp(buff, "theism.tech")) {

printf ("\n Wrong Password \n");}

else{

printf ("\n Correct Password \n");

pass = 1;}

if(pass){

/* Now Give root or admin rights to user*/

printf ("\n Root privileges given to the user \n");}

return 0;}

Output:

6. Write a program to show problem of Stack Overflow.

#pragma check_stack(off)

#include<string.h>

#include<stdio.h>

#include<conio.h>

void foo(const char* input)

{

char buf[5];

printf("My stack looks like:\n%p\n%p\n%p\n%p\n%p\n% p\n\n");

strcpy(buf, input);

printf("%s\n", buf);

printf("Now the stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");

}

void bar(void)

{

printf("Augh! I've been hacked!\n");

}

int main(int argc, char* argv[])

{

char input[100];

printf("Address of foo = %p\n", foo);

printf("Address of bar = %p\n", bar);

printf("enter the input");

scanf("%s",input);

foo(input);

getch();

return 0;

}

Output:

7. Write a program to show without problem of Buffer Overflow

#include <stdio.h>

#include <string.h>

int main(void){

char *str = (char *)malloc(10);// allocate 10 bytes for str

int pass = 0;

printf("\n Enter the password : \n");

fgets (str,15,stdin); // reads input from stdin and store into str

printf(“buff:%s”,buff);

if(strcmp(buff, "theismm.tech")) {

printf ("\n Wrong Password \n");}

else{

printf ("\n Correct Password \n");

pass = 1;}

if(pass){

/* Now Give root or admin rights to user*/

printf ("\n Root privileges given to the user \n");}

return 0;

}

Output:

Enter The password:

TheIsmm.tech

Correct password

Root privileges given to the user

8. Write a program to show without problem of Stack Overflow.

Int recur(int n)

{

If(n<0)

return 0; //termination condition to avoid infinite stack

Else

{

Printf( “%d ”, n);

Recur(n--);

}

}

//main function:

Void main()

{

Int n;

Printf(“enter number”);

Scanf(“%d”,&n);

Recur(n);

}

Output:

Enter number 5

5 4 3 2 1

LAB EXERCISE-3

9. Program to solve the problem of Integer Overflow

#include<stdio.h>

#include<limits.h>

#include<stdlib.h>

int addOvf(int* result, int a, int b)

{

printf("INT_MAX:%d",INT_MAX);

if( a > INT_MAX - b)

return -1;

else

{

*result = a + b;

return 0;

}

}

int main()

{

int *res = (int *)malloc(sizeof(int));

int x = 2147483640;

int y = 10;

printf("\nno addition occured so:%d", addOvf(res, x, y));

printf("\nvalue of result: %d", *res);

getchar();

return 0;

}

Output:

10. Program to solve problem of Format String

int main(int argc, char *argv[])

{

//Variable declaration

char user_input[100];

unsigned int bytes;

clrscr(); /* other variable definitions and statements */

printf("enter the input string");

scanf("%s",user_input); /* getting a string from user */

printf("resultant input");

printf("%s",user_input);//correct specification

getch();

return 0;

}

Output:

LAB EXERCISE-4

11. Make a list of code analysis tools.

1. Covertiy- It performs inter-procedural dataflow analysis and statistical analysis.

2. Fortify- It identifies vulnerability early in the SDLC, hence decreases the cost of fixing. It

acts as a mentor, as it guides the developer regarding security flaws while they work.

3. KlockWork- using this tool, developers can create more secure and reliable application by

analysing source code on-the-fly, simplifying peer code reviews and extending the life of

complex application.

4. PREfast- It is developed by Microsoft as part of major push to improve quality assurance.

PREfast is a lightweight static analysis tool for C++.It only finds bugs within a single procedure

12. Make a list of tools which can be used for penetration testing.

1. Wireshark – Wireshark allows the pentester to put a network interface into a promiscuous

mode and therefore see all traffic. This tool has many features such as being able to capture data

from live network connection or read from a file that saved already-captured packets.

2. Metasploit - Developed by Rapid7 and used by every pentester and ethical hacker in the

world. Period. The Metasploit Project is a security project which delivers information about

security vulnerabilities and helps penetration testing and Intrusion detection.

3. Nmap -Nmap (Network Mapper) is the defacto security scanner which is used to discover

hosts and services on a computer network. To discover hosts on a network Nmap sends specially

built packets to the target host and then analyzes the responses.

4. Nessus - Nessus scans for various types of vulnerabilities: ones that check for holes that

hackers could exploit to gain control or access a computer system or network.

LAB EXERCISE-5

13. Test the application for XSS attacks using various cheat sheets available

on OWASP.

LAB EXERCISE-5

14. Demonstrate SQL injection using WebGoat.

15. Demonstrate command injection using WebGoat.