Course Title:

Information Security Analysis and Audit

Course Code:
CSE3501
Review 1
Abstract
The main goal of a bug hunt is to find all the critical bugs in an
application that could negatively affect users. Also, this
project is to give security patches to vulnerable websites
these patches will be used to secure the website from
malicious attacks. Bug hunters also use test plans and use
cases to test software from the perspective of a user, all with
the goal of discovering bugs that could affect the user
experience. To find bugs in a website or application, testers
use a variety of strategies. Some use “attacks” such as
deliberately using a different workflow to the one suggested
by an application or filling in a form incorrectly to expose
errors and security vulnerabilities. Testers might enter
alphabetic characters into a form field that’s clearly designed
only to handle numeric characters, use special characters in a
username or password field, or deliberately lose mobile data
coverage while using an application. During this stage issues
such as that of web application security, the functioning of
the site, its access to handicapped as well as regular users
and its ability to handle traffic is checked.
Introduction
Analyzing security flaws in websites and implementing
suitable patches using a proxy interceptor involves identifying
vulnerabilities, understanding their impact, and then
implementing appropriate solutions. A proxy interceptor can
help intercept and modify web traffic between clients and
servers, making it a useful tool for identifying and mitigating
security issues. Here's a general process for analyzing and
patching security flaws using a proxy interceptor:

1.Choose a Proxy Interceptor Tool:

Select a suitable proxy interceptor tool like Burp Suite,
OWASP ZAP, or Fiddler. These tools allow you to intercept and
analyze web traffic, making them valuable for identifying
security vulnerabilities.
2.Configure the Proxy:
Set up the proxy interceptor to intercept web traffic between
clients (such as browsers) and servers. Configure your
browser or application to route its traffic through the proxy.
3.Identify Security Flaws:
Interact with the target website/application using the proxy-
enabled browser/application. The proxy will intercept and
display the requests and responses, enabling you to identify
vulnerabilities such as:
Cross-Site Scripting (XSS): Malicious code injection into web
pages.
Cross-Site Request Forgery (CSRF): Unauthorized actions
performed on behalf of authenticated users.
SQL Injection: Attacker inserts malicious SQL code into input
fields.
Insecure Direct Object References (IDOR): Unauthorized
access to resources.
Security Misconfigurations: Improperly configured servers or
applications.
Sensitive Data Exposure: Leakage of sensitive information.
Broken Authentication and Session Management: Flaws in
user authentication and session handling.
etc.

4.Assess Vulnerability Impact:

Determine the potential impact and severity of each
vulnerability. Consider factors such as the sensitivity of the
data involved, the potential for unauthorized access, and the
potential for exploiting the vulnerability.
5.Implement Patches:
Once vulnerabilities are identified, work on implementing
patches or fixes:
Cross-Site Scripting (XSS): Sanitize user inputs, encode output
properly, and implement content security policies.
Cross-Site Request Forgery (CSRF): Use anti-CSRF tokens and
implement referer checking.
SQL Injection: Use parameterized queries or prepared
statements in database interactions.
Insecure Direct Object References (IDOR): Implement proper
access controls and authorization mechanisms.
Security Misconfigurations: Follow security best practices for
server and application configuration.
Sensitive Data Exposure: Encrypt sensitive data, use HTTPS,
and limit data exposure.
Broken Authentication and Session Management: Implement
strong authentication, session timeouts, and secure session
management.
6.Test and Verify:
After implementing patches, thoroughly test the application
to ensure that the vulnerabilities are effectively mitigated and
that the fixes haven't introduced new issues.

7.Repeat and Stay Updated:

Regularly repeat the process to identify new vulnerabilities
and apply patches. Stay updated with the latest security
trends and best practices.
Literature Survey

Title Author & Year Description

A Survey on Session Ayokunle Awodele, This paper provides a

Hijacking Attack and Olumide S. Adewale, comprehensive survey
Defense Techniques in and of various session
Web Applications Adenike O. Osofisan hijacking attack and
(2016) defense techniques in
web applications. It
covers various types of
session hijacking
attacks, such as cookie
hijacking, IP hijacking,
and session fixation,
and discusses different
defense mechanisms
that can be used to
mitigate these attacks.

Detecting SQL Injection William G.J. Halfond and This paper presents a
Attacks Using Dynamic Alessandro Orso (2006) dynamic analysis
Analysis technique for detecting
SQL injection attacks in
web applications. The
authors propose a tool
called SQLCheck that
analyzes the execution
of web applications and
identifies SQL injection
vulnerabilities by
checking the syntax of
SQL queries executed by
the application.

Parameter Tampering in Yogita Gigras and Jasvir This paper discusses

E-Commerce Websites: Singh (2016) the threat of parameter
tampering in e-
A commerce websites
Threat to Online and its impact on online
Business business. The authors
analyze the various
techniques used by
attackers to tamper
with parameters and
the potential
consequences of such
attacks, such as
financial loss,
reputational
damage, and legal
liabilities.

Cross-Site Scripting Markus Jakobsson and This paper provides a

(XSS) Stefanos A. Mitropoulos comprehensive
Attacks: Theoretical (2010) overview of cross-site
Aspects, Real-Life scripting (XSS) attacks,
including their
Exploits, and Prevention
theoretical aspects,
Strategies
real-life exploits, and
prevention strategies.
The authors discuss
various types of XSS
attacks, such as
reflected, stored, and
DOM-based XSS, and
the different techniques
used by attackers to
exploit them. They also
present various defense
mechanisms, such as
input
validation, output
encoding, and content
security policy, that can
be used to prevent XSS
attacks.
Session Hijacking: A Dr. Anton Chuvakin This paper provides an
Technical Guide for (2002) overview of session
Security Professionals hijacking attacks, their
impact on web
application security, and
ways to prevent them. It
discusses various
methods used to hijack
sessions, such as session
fixation, session
prediction, and session
replay, and provides
recommendations for
securing sessions,
including using secure
session management
practices, preventing
session fixation, and
implementing SSL/TLS
encryption.

Detecting SQL Injection William G.J. Halfond and This paper proposes a
Attacks Using Dynamic Alessandro Orso (2006) method for detecting
Analysis SQL injection attacks in
web applications using
dynamic analysis. The
method involves
instrumenting the web
application with a tool
that monitors the
application's behavior
at runtime and
identifies SQL injection
attacks by analyzing the
application's input and
output. The authors
evaluate the
effectiveness of the
method through
 experiments and
demonstrate its ability
to detect SQL injection
attacks with high
accuracy.

SQL Injection Attacks Justin Clarke (2009) This paper provides an

and overview of SQL
Defense injection attacks, their
impact on web
application security, and
ways to prevent them. It
discusses various
methods used to exploit
SQL injection
vulnerabilities, such as
blind SQL injection and
error-based SQL
injection, and provides
recommendations for
preventing SQL injection
attacks, including input
validation,
parameterized queries,
and stored procedures.

Scanning of Real-world Adonis P.H. Fung†, Tielei The paper addresses the
Web Applications for Wang‡, K.W. Cheung†, need to secure web
Parameter Tampering and T.Y. Wong† applications that rely on
Vulnerabilities parameter exchanges
between clients and
servers, especially those
involving complex
workflows and
dependencies. Such
applications are
susceptible to
parameter tampering
attacks when lacking
proper server-side input
 validation. Existing
fuzzing-based scanning
methods have
overlooked these critical
controls, leading to their
requests being dropped
before reaching
vulnerable code
Cross-Site Scripting Shashank Gupta1 • B. B. The paper focuses on
(XSS) attacks and Gupta1 the prevalence of web-
defense mechanisms: related vulnerabilities,
classification and state- particularly in security-
of-the-art critical web
applications. It
highlights the
persistence of
vulnerabilities across
various sectors, such as
banking, healthcare,
finance, and retail. The
most prominent
vulnerability is Cross-
Site Scripting (XSS)
attack, which poses a
significant threat to
modern web
applications.
Session Hijacking and Anuj Kumar Baitha*, The paper explores
Prevention Technique Prof. Smitha Vinod session hijacking
attacks, where
unauthorized access is
gained to valid session
connections, often
targeting social
networking and banking
websites. Session
hijacking, also known as
Man in the Middle
(MIMA) attack, poses a
significant cybersecurity
threat. The paper
highlights a specific
attack, SSL Strip attack,
which is crucial in this
context.