Professional Documents
Culture Documents
Semester: VII
Subject: Secure Application Development Lab
services. Some bots program run automatically, while others only execute commands when
they receive specific input. Common examples of bots program are the crawler, chatroom bots,
and malicious bots
2. Laboratory Exercise Procedure
Study and explain various laws of cyber security
Write various standard of cyber security
3. Post-Experiments Exercise
A. Extended Theory:
Describe statistics of main vulnerabilities
.
B. Questions:
1. What are the different types of attacks?
2. What do you understand by cyber attack?
C. Conclusion:
1. Write what was performed in the experiment.
2. Write the significance of the topic studied in the experiment.
D. References:
1. https://mrcet.com/pdf/Lab%20Manuals/IT/CYBER%20SECURITY%20(R18A0521).pdf
2. Cyber Security Essentials, James Graham, Richard Howard and Ryan Otson, CRCPress.
3. Introduction to Cyber Security, Chwan-Hwa(john) Wu,J. David Irwin, CRC Press T&F Group
Class: BE-IT
Semester: VII
Subject: Secure Application Development Lab
1. Pre-Experiment Exercise:
Brief Theory:
Security System Development Life Cycle (SecSDLC) is defined as the set of procedures that
are executed in a sequence in the software development cycle (SDLC). It is designed such that
it can help developers to create software and applications in a way that reduces the security
risks at later stages significantly from the start. The Security System Development Life Cycle
(SecSDLC) is similar to Software Development Life Cycle (SDLC), but they differ in terms of
the activities that are carried out in each phase of the cycle. SecSDLC eliminates security
vulnerabilities. Its process involves identification of certain threats and the risks they impose
on a system as well as the needed implementation of security controls to counter, remove and
manage the risks involved. Whereas, in the SDLC process, the focus is mainly on the designs
and implementations of an information system.
Phases involved in SecSDLC are:
• System Investigation: This process is started by the officials/directives working at the
top level management in the organization. The objectives and goals of the project are
considered priorly in order to execute this process. An Information Security Policy is
defined which contains the descriptions of security applications and programs installed
along with their implementations in organization’s system.
• System Analysis: In this phase, detailed document analysis of the documents from the
System Investigation phase are done. Already existing security policies, applications
and software are analyzed in order to check for different flaws and vulnerabilities in the
system. Upcoming threat possibilities are also analyzed. Risk management comes under
this process only.
• Logical Design: The Logical Design phase deals with the development of tools and
following blueprints that are involved in various information security policies, their
applications and software. Backup and recovery policies are also drafted in order to
prevent future losses. In case of any disaster, the steps to take in business are also
planned. The decision to outsource the company project is decided in this phase. It is
analyzed whether the project can be completed in the company itself or it needs to be
sent to another company for the specific task.
• Physical Design: The technical teams acquire the tools and blueprints needed for the
implementation of the software and application of the system security. During this
phase, different solutions are investigated for any unforeseen issues which may be
encountered in the future. They are analyzed and written down in order to cover most
of the vulnerabilities that were missed during the analysis phase.
• Implementation: The solution decided in earlier phases is made final whether the
project is in-house or outsourced. The proper documentation is provided of the product
in order to meet the requirements specified for the project to be met. Implementation
and integration process of the project are carried out with the help of various teams
aggressively testing whether the product meets the system requirements specified in the
system documentation.
• Maintenance: After the implementation of the security program it must be ensured that
it is functioning properly and is managed accordingly. The security program must be
kept up to date accordingly in order to counter new threats that can be left unseen at the
time of design.
2. Laboratory Exercise
Procedure
Study any of the case study from references and the difference between software development
life cycle and security development life cycle
3. Post-Experiments Exercise
A. Extended Theory:
1. Describe how secure coding can be incorporated into the software development
process.
2. List the major types of coding errors and their root cause.
3. Describe good software development practices and explain how they impact
application security.
B. Questions:
1. List and discuss Secure SDLC Best Practices
C. Conclusion:
1. Write what was performed in the experiment.
2. Write the significance of the topic studied in the experiment.
D. References:
• Case study 1: https://quod.lib.umich.edu/j/jsais/11880084.0001.103/--case-study-of-
the-application-of-the-systems-development?rgn=main;view=fulltext
• Case study 2: https://onlinelibrary.wiley.com/doi/epdf/10.1002/sec.1700
https://snyk.io/l
Class: BE-IT
Semester: VII
Subject: Secure Application Development Lab
Theory:
What is OWASP Top 10?
The OWASP Top 10 is a standard document which consists of the top ten of the most impactful
web application security risks in the world. The Open Web Application Security Project
foundation (OWASP) publishes a version every three years. OWASP collects data from
companies which specialize in application security. It also collects data from individuals using
industry surveys. All of the results get ranked based on impact and prevalence. At last, the top
ten risks are then filtered. OWASP Top ten doesn’t cover all the vulnerabilities, but it’s a solid
start for security testers, developers and organizations who want to exploit vulnerabilities and
implement measures to protect against the security risks.
• Insecure deserialization
Insecure deserialization happens when the developer doesn’t check serialized data that a user
sends to the application. This is another vulnerability where a lack of user input validation can
lead to serious security problems. It is hard to exploit, but when it works, it can lead to either
remote code execution or denial of service.
• Using components with known vulnerabilities
You might have totally secured your own code, but what about the dependencies you are using?
Have you checked them or just imported them into your code? There is a high chance that one
or more of them are vulnerable. Unfortunately, using components with known vulnerabilities
had led to many serious breaches in the past, and will still cause many breaches to come. But
you already have the tools to check for them. For more in-depth knowledge of that, head to this
dedicated article.
• Insufficient logging and monitoring
When a hacker infiltrates a network, IT systems will generate traffic which usually doesn’t
correspond to the normal one, unless you are dealing with highly skilled hackers who have
time and money to go after your IT infrastructure. If you can’t detect this abnormal behavior
as soon as possible, you are essentially giving them enough time to achieve their goal. Read
more about this in this blog post. Logging and monitoring should be part of your essential
security infrastructure because you simply cannot defend what you don’t know.
OWASP Top 10 vulnerabilities 2021:
• A01:2021-Broken Access Control moves up from the fifth position to the category with
the most serious web application security risk; the contributed data indicates that on
average, 3.81% of applications tested had one or more Common Weakness
Enumerations (CWEs) with more than 318k occurrences of CWEs in this risk category.
The 34 CWEs mapped to Broken Access Control had more occurrences in applications
than any other category.
• A02:2021-Cryptographic Failures shifts up one position to #2, previously known as
A3:2017-Sensitive Data Exposure, which was broad symptom rather than a root cause.
The renewed name focuses on failures related to cryptography as it has been implicitly
before. This category often leads to sensitive data exposure or system compromise.
• A03:2021-Injection slides down to the third position. 94% of the applications were
tested for some form of injection with a max incidence rate of 19%, an average
incidence rate of 3.37%, and the 33 CWEs mapped into this category have the second
most occurrences in applications with 274k occurrences. Cross-site Scripting is now
part of this category in this edition.
• A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to
design flaws. If we genuinely want to "move left" as an industry, we need more threat
modelling, secure design patterns and principles, and reference architectures. An
insecure design cannot be fixed by a perfect implementation as by definition, needed
security controls were never created to defend against specific attacks.
• A05:2021-Security Misconfiguration moves up from in the previous edition; 90% of
applications were tested for some form of misconfiguration, with an average incidence
rate of 4.5%, and over 208k occurrences of CWEs mapped to this risk category. With
more shifts into highly configurable software, it's not surprising to see this category
move up. The former category for A4:2017-XML External Entities (XXE) is now part
of this risk category.
• A06:2021-Vulnerable and Outdated Components was previously titled Using
Components with Known Vulnerabilities and is in the Top 10 community survey, but
also had enough data to make the Top 10 via data analysis. This category moves up
from in 2017 and is a known issue that we struggle to test and assess risk. It is the only
category not to have any Common Vulnerability and Exposures (CVEs) mapped to the
included CWEs, so a default exploit and impact weights of 5.0 are factored into their
scores.
• A07:2021-Identification and Authentication Failures was previously Broken
Authentication and is sliding down from the second position, and now includes CWEs
that are more related to identification failures. This category is still an integral part of
the Top 10, but the increased availability of standardized frameworks seems to be
helping.
• A08:2021-Software and Data Integrity Failures is a new category for 2021, focusing
on making assumptions related to software updates, critical data, and CI/CD pipelines
without verifying integrity. One of the highest weighted impacts from Common
Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS)
data mapped to the 10 CWEs in this category. A8:2017-Insecure Deserialization is now
a part of this larger category.
• A09:2021-Security Logging and Monitoring Failures was previously A10:2017-
Insufficient Logging & Monitoring and is added from the Top 10 community survey,
moving up from previously. This category is expanded to include more types of failures,
is challenging to test for, and isn't well represented in the CVE/CVSS data. However,
failures in this category can directly impact visibility, incident alerting, and forensics.
• A10:2021-Server-Side Request Forgery is added from the Top 10 community survey.
The data shows a relatively low incidence rate with above average testing coverage,
along with above-average ratings for Exploit and Impact potential. This category
represents the scenario where the security community members are telling us this is
important, even though it's not illustrated in the data at this time.
Conclusion: OWASP Top 10 Web App Vulnerabilities represents a broad consensus among
security experts of the most common security risks facing organizations. The vision behind
OWASP Top 10 Application Security Risks is to build a culture of secure web development
and web application security through awareness creation
Class: BE-IT
Semester: VII
Subject: Secure Application Development Lab
Theory:
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn
vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools
in a legal environment, help web developers better understand the processes of securing web
applications and aid teachers/students to teach/learn web application security in a classroom
environment. The aim of DVWA is to practice some of the most common web vulnerabilities,
with various levels of difficulty, with a simple straightforward interface.
Conclusion. Successfully installed Xampp , dvwa and performed command injection with all
security levels low,high medium
Class: BE-IT
Semester: VII
Subject: Secure Application Development Lab
Theory:
➢ OAT - 021: Denial of Inventory – Deplete goods or services stock without ever completing
the purchase or committing to the transaction. Selection and holding of items from a limited
inventory or stock, but which are never actually bought, or paid for, or confirmed such that
other users are unable to buy/pay/confirm the items themselves.
Denial of Inventory is most commonly thought of as taking Ecommerce items out of circulation
by adding many of them to a cart/basket, the attacker never actually proceeds to checkout to
buy them but contributes to a possible stock-out condition. A variation of this automated threat
event is making reservations (e.g., hotel rooms, restaurant tables, holiday bookings, flight
seats), and/or click-and-collect without payment. But this exhaustion of inventory availability
also occurs in other types of web application such as in the assignment of non-goods like
service allocations, product rations, availability slots, queue positions, and budget
apportionments.
➢ OAT – 005: Scalping - Acquisition of goods or services using the application in a manner that
a normal user would be unable to undertake manually. Although Scalping may include
monitoring awaiting availability of the goods or services, and then rapid action to beat normal
users to obtain these, Scalping is not a “last minute” action like OAT-013 Sniping, nor just
related to automation on behalf of the user such as in OAT-006 Expediting. This is because
Scalping includes the additional concept of limited availability of sought-after goods or
services, and is most well known in the ticketing business where the tickets acquired are then
resold later at a profit by the scalpers/touts. This can also lead to a type of user denial of service,
since the goods or services become unavailable rapidly.
➢ OAT – 013: Snipping - Last-minute bid or offer for goods or services. The defining
characteristic of sniping is an action undertaken at the latest opportunity to achieve a particular
objective, leaving insufficient time for another user to bid/offer. Sniping can also be the
automated exploitation of system latencies in the form of timing attacks. Careful timing and
prompt action are necessary parts. It is most well known as auction sniping, but the same threat
event can be used in other types of applications. Sniping normally leads to some dis-benefit
for other users, and sometimes that might be considered a form of denial of service. Sniping is
also known by the terms such as auction sniping, bid sniper, frontrunning, last look, last minute
bet and timing attack.
➢ OAT – 006: Expediting - Perform actions to hasten the progress of usually slow, tedious or
time-consuming operations. Using speed to violate explicit or implicit assumptions about the
application’s normal use to achieve unfair individual gain, often associated with deceit and
loss to some other party. In contrast to OAT-016 Skewing which affects metrics, Expediting
is purely related to faster progression through a series of application processes. OAT-017
Spamming is different to Expediting, since the focus of spam is to add information, and may
not involve the concept of process progression. Expediting is also known by the terms such as
algorithmic trading, automated stock trading, betting automation, game automation, gaming
bot, gold farming, financial instrument dealing, high-frequency trading, last look trade, mining,
purchase automation, trading automation, ticketing automation, virtual wealth generation bot.
➢ OAT – 016: Skewing - Repeated link clicks, page requests or form submissions intended to
alter some metric. It is an automated repeated clicking or requesting or submitting content,
affecting application-based metrics such as counts and measures of frequency and/or rate. The
metric or measurement may be visible to users (e.g., betting odds, likes, market/dynamic
pricing, visitor count, poll results, and reviews) or hidden (e.g., application usage statistics,
business performance indicators). Metrics may affect individuals as well as the application
owner, e.g., user reputation, influence others, gain fame, or undermine someone else's
reputation. Skewing is also known by the terms such as biasing KPIs, hit count fraud, metric
and statistic skewing, page impression fraud, poll fraud, poll skewing and rating/review
skewing.
2. example.com
3. comodoca.com
4. gzip.org
5. webgarden.com
Theory :
What is the use of Burp Suite? Burp Suite is an integrated platform/graphical tool for performing
security testing of web applications. Its various tools work seamlessly together to support the entire
testing process, from initial mapping and analysis of an application's attack surface, through to
finding and exploiting security vulnerabilities. Burp Suite is installed by default in Kali Linux.
The tool is written in Java and developed by PortSwigger Web Security. The tool has three
editions: a Community Edition that can be downloaded free of charge, a Professional Edition and
an Enterprise Edition that can be purchased after a trial period. The Community edition has
significantly reduced functionality. It intends to provide a comprehensive solution for web
application security checks. In addition to basic functionality, such as proxy server, scanner and
intruder, the tool also contains more advanced options such as a spider, a repeater, a decoder, a
comparer, an extender and a sequencer.
Burp Suite can be classified as an Interception Proxy. While browsing their target application, a
penetration tester can configure their internet browser to route traffic through the Burp Suite proxy
server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each
request to and from the target web application so that they can be analyzed. Penetration testers can
pause, manipulate and replay individual HTTP requests in order to analyze potential parameters
or injection points. Injection points can be specified for manual as well as automated fuzzing
attacks to discover potentially unintended application behaviors, crashes and error messages.
Step 3: Open Firefox settings, search for “Network Settings” and then select Manual proxy
option. Then Enter the IP address and port for http, https and socket:
Step 4: Go to burp proxy and turn on Intercept by clicking the button
Step 5: Now open an unsecured website in browser (firefox), you will see that the packets are
going through the burp proxy and you have the options to forward or drop the packet.
Step 6: Dropping the packets will halt the loading of website:
Step 9: Now you will be able to edit the content of the response body and then forward it.
2. For Secured Website
Step 1: To use burp proxy with a secured website you have to setup certificate. Download the
certificate by going to http://burp while the burp proxy is on and click on CA Certificate.
Step 2: Go to Firefox settings and search for Certificates. Click on import certificate and import
the certificate, downloaded in the previous step.
Step 3: Now you can intercept the Secured website as well in burp proxy
Outcome: L03: Identify main vulnerabilities inherent in applications.
Conclusion: Hence, we have successfully used burp proxy suite in intercepting the secured and
unsecured website.
Class: BE-IT
Semester: VII
Subject: Secure Application Development Lab
Lab objective: Understand how Data Validation and Authentication can be applied for
application.
Theory:
Forms are used in webpages for the user to enter their required details that further send it to the
server for processing. A form is also known as a web form or HTML form. Examples of form
use are prevalent in e-commerce websites, online banking, online surveys to name a few.
Validating a form: The data entered into a form needs to be in the right format and certain fields
need to be filled in order to effectively use the submitted form. Username, password, contact
information are some details that are mandatory in forms and thus need to be provided by the
user.
Userid - This attribute above checks whether userid input field is provided with a string of length
5 to 12 characters. If not, it displays an alert.
Password - This attribute code used to validate password (it should be of length 7 to 12 characters).
If not, it displays an alert.
user name - This attribute checks whether user name input field is provided with alphabets
characters. If not, it displays an alert.
user address - It checks whether user address input field is provided with alphanumeric characters.
If not, it displays an alert.
Country - The code above checks whether a country is selected from the given list. If not, then it
displays an alert.
ZIP code - The attribute checks whether a ZIP code of numeric value. If not, it displays an alert.
email format - The code above checks whether a valid email format is supplied. If not, it displays
an alert.
Gender - The code above checks whether a sex is selected. If not, it displays an alert. If Male or
Female is selected, it generates an alert saying that the form is successfully submitted and it reloads
the form.
CODE:
sad7.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Document</title>
</head>
<body onload="document.registration.userid.focus();">
<h1>Registration Form</h1>
<ul>
<li><label for="passid">Password:</label></li>
<li><label for="username">Name:</label></li>
<li><label for="address">Address:</label></li>
<li><input type="text" name="address" size="50" /></li>
<li><label for="country">Country:</label></li>
<li><select name="country">
<option value="AF">Australia</option>
<option value="AL">Canada</option>
<option value="DZ">India</option>
<option value="AS">Russia</option>
<option value="AD">USA</option>
</select></li>
<li><label for="email">Email:</label></li>
<li><label id="gender">Sex:</label></li>
<li><label>Language:</label></li>
<li><label for="desc">About:</label></li>
</ul>
</form>
</body>
<script src="sad7.js"></script>
</html>
sad7.js
function formValidation() {
if (userid_validation(uid, 5, 12)) {
if (passid_validation(passid, 7, 12)) {
if (allLetter(uname)) {
if (alphanumeric(uadd)) {
if (countryselect(ucountry)) {
if (allnumeric(uzip)) {
if (ValidateEmail(uemail)) {
if (validsex(umsex, ufsex)) {
}
}
return false;
alert("User Id should not be empty / length be between " + mx + " to " + my);
uid.focus();
return false;
return true;
alert("Password should not be empty / length be between " + mx + " to " + my);
passid.focus();
return false;
return true;
function allLetter(uname) {
if (uname.value.match(letters)) {
return true;
}
else {
uname.focus();
return false;
function alphanumeric(uadd) {
if (uadd.value.match(letters)) {
return true;
else {
uadd.focus();
return false;
function countryselect(ucountry) {
if (ucountry.value == "Default") {
ucountry.focus();
return false;
else {
return true;
}
function allnumeric(uzip) {
if (uzip.value.match(numbers)) {
return true;
else {
uzip.focus();
return false;
function ValidateEmail(uemail) {
if (uemail.value.match(mailformat)) {
return true;
else {
uemail.focus();
return false;
x = 0;
if (umsex.checked) {
x++;
} if (ufsex.checked) {
x++;
if (x == 0) {
alert('Select Male/Female');
umsex.focus();
return false;
else {
window.location.reload()
return true;
}
OUTPUT:
Lab outcome: LO4: Apply Data Validation and Authentication for application.
Lab objective:
Understand how Data Validation and Authentication can be applied for application
Theory:
a) SQL Injection
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the
queries that an application makes to its database. It generally allows an attacker to view data that
they are not normally able to retrieve. This might include data belonging to other users, or any
other data that the application itself is able to access. In many cases, an attacker can modify or
delete this data, causing persistent changes to the application's content or behaviour.
In some situations, an attacker can escalate an SQL injection attack to compromise the underlying
server or other back-end infrastructure, or perform a denial-of-service attack.
There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in
different situations. Some common SQL injection examples include:
• Retrieving hidden data, where you can modify an SQL query to return additional results.
• Subverting application logic, where you can change a query to interfere with the
application's logic.
• UNION attacks, where you can retrieve data from different database tables. Examining
the database, where you can extract information about the version and structure of the
database.
• Blind SQL injection, where the results of a query you control are not returned in the
application's responses.
b) Cross-Site Scripting (XSS)
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an
attacker to compromise the interactions that users have with a vulnerable application. It allows
an attacker to circumvent the same origin policy, which is designed to segregate different websites
from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade
as a victim user, to carry out any actions that the user is able to perform, and to access any of
the user's data. If the victim user has privileged access within the application, then the attacker
might be able to gain full control over all of the application's functionality and data.
Implementation:
a) SQL Injection
In this website, we entered a smartly formatted input in the password field which was
105' OR '1'='1
Which made the internal sql query to be:
b) SELECT * FROM users WHERE username = '105' AND
Code/output:
OR '
b) Cross-site scripting (XSS)
In this website, I entered a script tag with a custom JavaScript code in the search query of the
page, and as the text in the query was placed in the result page, the script got executed and the
alert was shown with a custom message that I mentioned in the code.
Lab outcome: L04: Apply Data Validation and Authentication for application.
Conclusion: Hence, we have successfully applied SQL injection and Cross Scripting.
Class: BE-IT
Semester: VII
Subject: Secure Application Development Lab
Output:
Lab outcome: LO5: Apply Security at Session Layer Management.
Conclusion: Hence, we have successfully implemented Session Management for Web
Applications.
Class: BE-IT
Semester: VII
Subject: Secure Application Development Lab
Theory:
CRYPTOGRAPHY: Cryptography is a method of protecting information and communications
through the use of codes, so that only those for whom the information is intended can read and
process it.
In computer science, cryptography refers to secure information and communication techniques
derived from mathematical concepts and a set of rule-based calculations called algorithms, to
transform messages in ways that are hard to decipher.