THAMIRABHARANI ENGINEERING COLLEGE

THATCHANALLUR

CCS374 - WEB APPLICATION SECURITY

LABORATORY

Name : ……………………………………….

Reg. No : ……………………………………….
 THAMIRABHARANI ENGINEERING COLLEGE
THATCHANALLUR

BONAFIDE CERTIFICATE

Certified that this is the Bonafide Record of the work done by Mr.
/Ms. Register No
of III year/ VI semester in Department of Computer Science and
Engineering of this college in the CCS374 - Web Application Security
Laboratory during 2023-2024 in partial fulfillment of the requirement of
the B.E. Degree course of the Anna University, Chennai.

Staff in-Charge Head of the Department

Submitted for the Practical Examination held on

Internal Examiner External Examiner

 INDEX

Ex. No. Date Experiment Name Page No. Sign

Ex. No 1. ANALYZE THE DIFFERENCE BETWEEN HTTP VS HTTPS

Aim :

To Analyze the difference between HTTP vs HTTPS using wireshark

Introduction about wireshark

Wireshark is software that is widely used in the analysis of data packets in a network. Wireshark is
completely free and open source. This packet analyzer is used for a variety of purposes like troubleshooting
networks, understanding communication between two systems, developing new protocols, etc.

Step 1: Prerequisites

a) You should have a running Windows System.

b) You should have access to install software in the System.

c) You should have an active Internet connection.

Step 2: Download Wireshark

Visit official website and download wireshark for 64-bit Windows system using below highlighted link.

Once click on the download link, it will start downloading in local system as shown below.

Step 3: Install Wireshark

Then double click on local downloaded installer to start the installation. It will first show the below setup wizard
asking to make sure Wireshark is not running. Click Next to Continue.
Next go through License Agreement and review all the License terms under this agreement before installing
Wireshark. Click Noted to continue.

Select all the Wireshark features to install. Below are the main features available to install. Select all the required
features and then click on Next to continue.
In additional tasks, you can choose to create shortcuts and associate file extensions from below. Once selected,
Click Next to continue.

Choose the destination folder by browsing to the location where you need to install wireshark. By default, it
will install under C:\Program Files\Wireshark folder as shown below. Once chosen, Click on Next to proceed.
To capture live network data, Wireshark requires either Npcap or WinPcap to be installed or else by default it
will install Npcap in your System. Select the needed program and then click on Next.

Similarly, for capturing USB traffic, wireshark needs to install USBPcap tool in your System. It won't be
selected by default, so we need to select it manually to install this tool. Then Click on Install.
Wireshark installation is started as shown below.

Once the installation started, you will see below Npcap screen popped up where you will be asked to select
below option. Once done, click on Install to complete the installation of this tool first.
You can track the progress of Npcap installation from below wizard screen.

After a while you will see the installation of wireshark is completed as shown below. Click on Next to continue.
Finally, you need to click on Finish to exit the wireshark setup wizard.

Step 4: Launch Wireshark

After successful installation, the first launch of wireshark should look like below. Select the ethernet interface.
Click start capture to capture the packets from this interface as shown below.

Live packets are getting captured as shown below. To stop the capture, click on Stop button from the toolbar.
Step 5: Analyze Captured Packets
Once captured the network data, look at the captured packets. In the screenshot below there are three panes,
the packet list pane, the packet bytes pane, and the packet details pane. Click on any of the fields in each
packet to see more. When click on a packet, a breakdown of its internal bytes in the byte view section is shown.
Packet List
The packet list pane is shown at the top of the screenshot. Each piece is broken down to a number with time,
source, destination, protocol and support information.
Packet Details
Packet details can be found in the middle, showing the protocols of the chosen packet. You can expand each
section by clicking on the arrow next to your row of choice. You can also apply additional filters by right-
clicking on the chosen item.
Packet Bytes
The packet bytes pane is shown at the bottom of the page. This pane shows the internal data of your selected
packet. If you highlight part of the data in this section, its corresponding information is also highlighted in the
packet details pane. By default, all data is shown in hexadecimal format. If you want to change it to bit format,
right-click the pane and select this option from the context menu.
Capture Filters and Display Filters
Capture Filters and Display Filters are two types of distinct filters that can be used on Wireshark.
Capture Filters and Display Filters are two types of distinct filters that can be used on Wireshark. Capture
Filters are used to reduce the size of incoming packet capture, essentially filtering out other packets during live
packet capturing.
Capture Filters are used to reduce the size of incoming packet capture, essentially filtering out other packets
during live the packet capturing. As a result, capture filters are set before you begin the live capture process.
Capture Filters can’t be modified once a capture has been started. On the other hand, Display Filters can
be used to filter data that has already been recorded. Capture Filters determine what data you capture from live
network monitoring, and Display Filters dictate the data you see when looking through previously captured
packets.
If you want to start filtering your data, one of the easiest ways to do this is to use the filter box below the toolbar.
For example, if you type in HTTP in the filter box, you will be provided with a list of all HTTP packets captured.
The filter box is shown below:
If you choose to set a capture filter, then your changes will come into effect once you start recording live
network traffic. To activate a display filter, simply click on the arrow to the right of the entry field. Alternatively,
you can click Analyze > Display Filters and choose a filter from the list of defaults.
After choosing a filter, you can view the TCP conversation behind a packet. To do this, right click on the packet
and click Follow > TCP stream. This will show you the TCP exchange between the client and server.
Step 6: Visualizing Network Packets With IO Graphs
To create a visual representation of your data packets, then you need to open IO graphs. Simply click on
the statistics menu and select IO graphs.

Result :
Thus the analysis of difference between HTTP and HTTPs using Wireshark was made.
Ex. No.:2

IDENTIFYING THE VULNERABILITIES USING OWASP ZAP TOOL

Aim:

To Identify the Vulnerabilities Using Owasp Zap Tool

Procedure:

1. Install OWASP ZAP:

Download and install OWASP ZAP from the official website.

2. Configure Browser Proxy

Set up your browser to use ZAP as a proxy server (Default: localhost, Port: 8080).

Experiment Steps:

1. Launch OWASP ZAP:

Open the OWASP ZAP tool

2. Start ZAP Proxy:

In ZAP, click on the 'Quick Start' tab.

Start the ZAP Proxy.

3. Set Target Application:

Go to the "Sites" tab.

Enter the URL of the target application.

Right-click on the URL and choose "Include in Context" > "Default Context" to add it for scanning.

4. Spider the Application:

Go to the "Spider" tab.

Right-click on the target URL and select "Spider" to crawl the application.

Let ZAP crawl and map the application structure.

5. Active Scan:

Go to the "Attack" tab.

Choose "Active Scan."

Configure the scan settings (scope, intensity, etc.).

Start the active scan on the target application.

6. Review Scan Results:

After the scan completes, go to the "Alerts" tab.

View the list of vulnerabilities discovered by ZAP.

7. Investigate Vulnerabilities:

Click on each vulnerability to get detailed information.

Verify and understand the nature and potential impact of each issue.

8. Prioritize and Document:

Prioritize vulnerabilities based on severity and potential impact.

Document the identified vulnerabilities with descriptions, severity levels, affected URLs, and possible
remediation steps.

9. Report Generation:

Go to the "Report" tab.

Generate a comprehensive report summarizing the identified vulnerabilities and their details.

Choose the appropriate report format (HTML, PDF, etc.).

10. Remediation and Re-scan:

Work on fixing or mitigating the identified vulnerabilities.

After making changes, perform another scan using ZAP to verify that the issues have been resolved.

11. Continuous Monitoring:

Schedule regular scans using ZAP to continuously monitor the application's security posture.

Regularly review and update the security measures based on new findings
Result:

Thus, the experiment to identify vulnerabilities using OWASP Zap tool is executed and verified
successfully.
Ex. No:3

CREATING SIMPLE REST API USING PYTHON

Aim:

To create a simple REST API using python to do the GET, POST, PUT and DELETE operations

Algorithm:

Step 1: Start

Step 2: Install Flask

Step 3: Start the Flask App

Step 4: Use Postman to Test Endpoints

Step 5: View Server Output

Step 6: Stop

Program:

from flask import Flask, jsonify, request

app = Flask(__name__)

# Sample data

data = [{'id': 1, 'name': 'Item 1'},

{'id': 2, 'name': 'Item 2'},

{'id': 3, 'name': 'Item 3'}

# GET request to retrieve all items

@app.route('/items', methods=['GET'])

def get_items():

return jsonify({'items': data})

# GET request to retrieve a specific item by ID

@app.route('/items/<int:item_id>', methods=['GET'])

def get_item(item_id):

item = next((item for item in data if item['id'] == item_id), None)

if item:
 return jsonify({'item': item})

else:

return jsonify({'message': 'Item not found'}), 404

# POST request to add a new item

@app.route('/items', methods=['POST'])

def add_item():

new_item = {'id': len(data) + 1, 'name': request.json['name']}

data.append(new_item)

return jsonify({'item': new_item}), 201

# PUT request to update a specific item by ID

@app.route('/items/<int:item_id>', methods=['PUT'])

def update_item(item_id):

item = next((item for item in data if item['id'] == item_id), None)

if item:

item['name'] = request.json['name']

return jsonify({'item': item})

else:

return jsonify({'message': 'Item not found'}), 404

# DELETE request to remove a specific item by ID

@app.route('/items/<int:item_id>', methods=['DELETE'])

def delete_item(item_id):

global data

data = [item for item in data if item['id'] != item_id]

return jsonify({'message': 'Item deleted'}), 200

if __name__ == '__main__':

app.run(debug=True)

Procedure and Output:

Step 1: Install Flask

>>>pip install flask

Step 2: Start the Flask App

Save the code as app.py and execute

>>>python app.py

Copy the url produced http://127.0.0.1:5000

Step 3: Use Postman to Test Endpoints

1. GET Request to Retrieve All Items:

• Set the request type to GET.

• Enter the URL: http://127.0.0.1:5000/items
• Click "Send."

2. GET Request to Retrieve a Specific Item by ID:

o Set the request type to GET.
o Enter the URL for a specific item ID, for example:
• http://127.0.0.1:5000/items/1
o Click "Send."
3. POST Request to Add a New Item:
• Set the request type to POST.
• Enter the URL: http://127.0.0.1:5000/items
• Go to the "Body" tab, select "raw" and choose "JSON (application/json)".Enter the request
body
• Click "Send."
4. PUT Request to Update an Existing Item:
o Set the request type to PUT.
o Enter the URL for a specific item ID, for example:
http://127.0.0.1:5000/items/1
o Go to the "Body" tab, select "raw" and choose "JSON (application/json)".
o Enter the updated information
o Click "Send."

5. DELETE Request to Remove a Specific Item by ID:

• Set the request type to DELETE.
• Enter the URL for a specific item ID, for example:
• http://127.0.0.1:5000/items/1
• Click "Send."
 Step 4: View Server Output

Result:

Thus, the experiment to create a simple REST API using python to do the GET, POST,

PUT and DELETE operations is executed and verified successfully.

Ex. No:4 Installing Burp Suit for Cross site Scripting

Aim:
To Install Burp Suite to do following vulnerabilities
• Cross-Site Scripting (XSS)
Procedure:

1. Turn on the intercept and search for the website which needs to be captured.
2. Add the captured request to the Target scope.
3. Go to Target section and search for the captured request in the item field andsend the
target item to the repeater.

4. The request in the repeater section will be modified and send to the Decoder.
5. Before sending the response to the browser, Copy the URL below and pasteinto a
browser that to configured to use Burp as its proxy.
 6. Open the browser to see the modified response. An alert message is popupwhile
opening the website.

Result:
Thus the above vulnerability is successfully executed and verified.
Ex. No. 5 Social Engineering Method

Aim:
To attach the website using social engineering method

Procedure & Output:

Installation of Social engineering toolkit :

Step 1: Open your Kali Linux Terminal and move to Desktop
>>>cd Desktop

Step 2: As of now you are on a desktop so here you have to create a newdirectory named
SEToolkit using the following command.
>>>mkdir SEToolkit

Step 3: Now as you are in the Desktop directory however you have created aSEToolkit
directory so move to SEToolkit directory using the following command

>>>cd SEToolkit

Step 4: Now you are in SEToolkit directory here you have to clone SEToolkitfrom GitHub so
you can use it.

>>>git clone https://github.com/trustedsec/social-engineer-toolkitsetoolkit/

Step 5: Social Engineering Toolkit has been downloaded in your directory now you have to
move to the internal directory of the social engineering toolkit usingthe following command.
>>>cd setoolkit

Step 6: Congratulations you have finally downloaded the social engineering toolkit in your
directory SEToolkit. Now it’s time to install requirements usingthe following command.
`pip3 install -r requirements.txt
Step 7: All the requirements have been downloaded in your setoolkit. Now it’stime to install
the requirements that you have downloaded
>>>python setup.py

Step 8: Finally all the processes of installation have been completed now it’s time to run the
social engineering toolkit .to run the SEToolkit type followingcommand.
>>>Setoolkit

Step 9: At this step, setoolkit will ask you (y) or (n). Type y and your socialengineering
toolkit will start running.
Step 10: Now your setoolkit has been downloaded into your system now it’s
time to use it .now you have to choose an option from the following
options .here we are choosing

option 2Website Attack Vector

Option: 2

Step 11: Now we are about to set up a phishing page so here we will chooseoption 3
that is the credential harvester attack method.
Option: 3

Step 12: Now since we are creating a Phishing page so here we will choose
option 1 that is web templates.

Option:
Step 13: Create a google phishing page so choose option 2 for that then a
phishing page will be generated on your localhost.

Step 14: Social engineering toolkit is creating a phishing page of google.

Result:
Thus, the experiment to attach the website using social engineeringmethod is executed
and verified successfully.