Week 1 Lecture: Lab Orientation - Tools & Requirements

Objective:

To familiarize students with the development environment, security tools, and

common web application vulnerabilities.

1. Setting Up the Development Environment

1.1. Java Development Environment Setup:

• Install Java Development Kit (JDK):

• Download the JDK from the Oracle website.

• Follow the installation instructions for your operating system.

• Install IntelliJ IDEA:

• Download IntelliJ IDEA from the JetBrains website.

• Follow the installation instructions and open IntelliJ IDEA.

• Configure IntelliJ IDEA to use the installed JDK.

1.2. Python Development Environment Setup:

• Install Python:

• Download Python from the official Python website.

• Follow the installation instructions for your operating system.

• Install PyCharm:

• Download PyCharm from the JetBrains website.

• Follow the installation instructions and open PyCharm.

• Configure PyCharm to use the installed Python interpreter.

1.3. PHP Development Environment Setup:

• Install XAMPP:
 • Download XAMPP from the Apache Friends website.

• Follow the installation instructions for your operating system.

• XAMPP includes Apache, MySQL, PHP, and Perl.

• Set up a PHP project:

• Start the XAMPP control panel and ensure Apache and MySQL
services are running.

• Create a new directory for your project inside the htdocs folder
(e.g., C:\xampp\htdocs\myproject).

• Create a simple PHP script to test the setup:

php
<?php

echo "Hello, World!";

?>

• Save the file as index.php and open http://localhost/myproject in your

browser to see the output.

2. Installing Security Tools

2.1. OWASP ZAP (Zed Attack Proxy):

• What is OWASP ZAP?

• OWASP ZAP is an open-source web application security scanner. It

helps to find security vulnerabilities in web applications during the
development and testing phases.
• Download and Install:

• Download OWASP ZAP from the official OWASP website.

• Install the application by following the provided instructions.

• Basic Usage:

• Open OWASP ZAP.

• Set up a new session:

• Go to File > New Session.

• Choose a location to save the session file.

• Configure your browser to use ZAP as a proxy:

• Set the browser's proxy settings to use localhost and

port 8080 (default).

• Explore the application interface:

• Sites Tab: Shows the sites and URLs that ZAP has accessed.

• Alerts Tab: Lists the security alerts discovered.

• Request/Response Panels: Display the HTTP requests and

responses.
• Example Usage:

• Spidering:

• Use the spider tool to crawl the web application and

discover all pages and links.

• Go to Tools > Spider, enter the target URL, and start the
spidering process.

• Active Scanning:

• Once the spidering is complete, perform an active scan to

detect vulnerabilities.

• Right-click on the target site in the Sites tab, and

select Attack > Active Scan.
2.2. Burp Suite:
• What is Burp Suite?

• Burp Suite is a popular web vulnerability scanner and security

testing tool used by security professionals for web application
security assessments.
• Download and Install:

• Download Burp Suite Community Edition from the PortSwigger

website.

• Install the application by following the provided instructions.

• Basic Usage:

• Open Burp Suite.

• Set up a new project:

• Choose to create a new project file or use the temporary

project option.

• Configure your browser to use Burp Suite as a proxy:

• Set the browser's proxy settings to use localhost and

port 8080 (default).

• Explore the application interface:

• Target Tab: Allows you to define the scope of your testing.

• Proxy Tab: Displays intercepted HTTP requests and

responses.

• Scanner Tab: Automates the process of finding

vulnerabilities.

• Intruder Tab: Used for automating customized attacks.

 • Example Usage:

• Intercepting Traffic:

• Open the Proxy tab and ensure intercept is on.

• Browse the target web application, and Burp will capture the
HTTP requests.

• Scanning for Vulnerabilities:

• Define the target scope in the Target tab.

• Right-click on the target and select Scan.

Comparison between OWASP ZAP and Burp Suite:

Feature OWASP ZAP Burp Suite

Free (Open Free (Community Edition) or Paid

Cost
Source) (Pro Edition)

Ease of Use User-friendly More complex, but powerful

Active Scanning Yes Yes

Passive Scanning Yes Yes

Spidering Yes Yes

Plugins
Extensibility Extensible with plugins (Pro)
available

Automated
Yes Yes (Pro Edition)
Testing
 Feature OWASP ZAP Burp Suite

Manual Testing
Yes Yes
Tools

3. Common Vulnerabilities: Demonstrations and Case Studies

3.1. Cross-Site Scripting (XSS):

• Description:

• XSS vulnerabilities occur when an application includes untrusted

data in a web page without proper validation or escaping.
• Demonstration:

• Step 1: Create a Simple HTML Form:

<!DOCTYPE html>

<html>

<head>

<title>XSS Demo</title>

</head>

<body>

<form action="xss_demo.php" method="post">

<label for="name">Name:</label>

<input type="text" id="name" name="name">

<input type="submit" value="Submit">

</form>

<p>Your Name: <?php echo $_POST['name']; ?></p>

</body>

</html>

• Step 2: Inject Malicious Script:

 • In the input field, enter: <script>alert('XSS');</script>

• When the form is submitted, the script will execute.

• Mitigation:

• Use proper input validation and output encoding.

<p>Your Name: <?php echo htmlspecialchars($_POST['name']); ?></p>

3.2. Insecure Direct Object Reference (IDor):

• Description:

• Occurs when an application exposes direct access to objects

based on user-supplied input.
• Demonstration:
• htdocs/
• index.php
• file.php
• files/
• file1.txt
• file2.txt
• secret.txt

• Step 1: Create a URL Parameter for File Access (Main Page):

<!DOCTYPE html>
<html>
<head>
<title>File Download</title>
</head>
<body>
<h1>Download Files</h1>
<ul>
<li><a href="file.php?file=file1.txt">Download File
1</a></li>
<li><a href="file.php?file=file2.txt">Download File
2</a></li>
</ul>
</body>
</html>
 • Step 2: Create File.php page to download files:
// file.php
<?php
$file = $_GET['file'];
$file_path = 'files/' . $file;

if (file_exists($file_path)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . basename($fil
e_path) . '"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file_path));
readfile($file_path);
exit;
} else {
echo "File not found.";
}
?>
• Step 3: Accessing Files:

• Access the URL: http://example.com/file.php?file=secret.txt

• Change the parameter to access different

files: http://example.com/file.php?file=../../etc/passwd
• Mitigation:

• Implement access controls and validate user input.

<?php
// List of allowed files
$allowed_files = ['file1.txt', 'file2.txt'];

$file = $_GET['file'];

if (in_array($file, $allowed_files)) {
$file_path = 'files/' . $file;

if (file_exists($file_path)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="' .
basename($file_path) . '"');
header('Expires: 0');
 header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file_path));
readfile($file_path);
exit;
} else {
echo "File not found.";
}
} else {
echo "Access Denied.";
}
?>
3.3. Cross-Site Request Forgery (CSRF):
• Description:

• CSRF vulnerabilities occur when an attacker tricks a user into

performing actions on a web application in which they are
authenticated.
• Demonstration:

• Step 1: Create a Form Submission:

Unprotected Page
<?php
session_start();

if (!isset($_SESSION['username'])) {
$_SESSION['username'] = "default";
}

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// Update the username
$_SESSION['username'] = $_POST['username'];
echo "Profile updated without CSRF protection.";
}
?>

<!DOCTYPE html>
<html>
<head>
<title>Unprotected Page</title>
 </head>
<body>
<h1>Unprotected Page</h1>
<p>Current Username: <?php echo
htmlspecialchars($_SESSION['username']); ?></p>
<form method="POST">
<input type="text" name="username" placeholder="Enter new
username">
<button type="submit">Update Profile</button>
</form>
</body>
</html>

• Step 2: Craft a Malicious Link:

• Send the link containing the form to the victim.

• When the victim clicks the link, the form is submitted,

transferring money to the attacker.

Attacker Page:
<!DOCTYPE html>
<html>
<head>
<title>Attacker Page</title>
</head>
<body>
<h1>Attacker Page</h1>
<form action="unprotected.php" method="POST">
<input type="hidden" name="username" value="hacked">
<button type="submit">Execute CSRF Attack</button>
</form>
</body>
</html>

• Mitigation:

• Use anti-CSRF tokens and validate the origin of requests.

Protected Page
<?php
session_start();

if (!isset($_SESSION['username'])) {
$_SESSION['username'] = "default";
}

if (!isset($_SESSION['token'])) {
$_SESSION['token'] = bin2hex(random_bytes(32));
}

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (!isset($_POST['token']) || $_POST['token'] !==
$_SESSION['token']) {
die("Invalid CSRF token");
}
// Update the username
$_SESSION['username'] = $_POST['username'];
echo "Profile updated with CSRF protection.";
}
?>

<!DOCTYPE html>
<html>
<head>
<title>Protected Page</title>
</head>
<body>
<h1>Protected Page</h1>
<p>Current Username: <?php echo
htmlspecialchars($_SESSION['username']); ?></p>
<form method="POST">
<input type="text" name="username" placeholder="Enter new
username">
<input type="hidden" name="token" value="<?php echo
$_SESSION['token']; ?>">
<button type="submit">Update Profile</button>
</form>
</body>
</html>

Testing
 Unprotected Page:

Navigate to unprotected.php.

You will see the current username displayed.

Fill in the form with a new username (e.g., "newuser") and submit.

The username should update, and the page will display "Profile
updated without CSRF protection."

Protected Page:

Navigate to protected.php.

You will see the current username displayed.

Fill in the form with a new username (e.g., "newuser") and submit.

The username should update, and the page will display "Profile
updated with CSRF protection."

Attacker Page:

Open attacker.html.

Submit the form.

Check the unprotected.php page. The username should be

updated to "hacked."

Now, change the form action in attacker.html to protected.php

and submit the form again.

The request will fail, and the username on protected.php should

not change, showing the message "Invalid CSRF token."

4. Case Studies

4.1. Example Case Study 1: XSS in a Social Media Application

 • Scenario:

• A user posts a comment containing a malicious script.

• Other users who view the comment have the script executed in
their browsers.

• Discussion:

• Impact of XSS on user data and application integrity.

• How input validation and output encoding could have prevented

the attack.

4.2. Example Case Study 2: Insecure Direct Object Reference in a File

Management System

• Scenario:

• Users can download files by specifying the file ID in the URL.

• An attacker discovers that changing the ID grants access to other

users’ files.

• Discussion:

• Impact on data confidentiality.

• How implementing access controls and validating user input could

have mitigated the risk.

4.3. Example Case Study 3: CSRF in an Online Banking Application

• Scenario:

• An attacker crafts a request that transfers money from a victim’s

account to the attacker’s account.

• The victim, while authenticated, clicks on a malicious link and

unknowingly initiates the transfer.
 • Discussion:

• Impact on financial integrity and user trust.

• How using anti-CSRF tokens and validating request origins could

have prevented the attack.

5. Practical Assignment

5.1. Setting Up and Exploring Tools:

• Task:

• Set up OWASP ZAP and Burp Suite (optional).

• Try automated test on any web application you have.

• Try to fix one problem that you might have in your application.

• Submission:

• Document the setup process and provide screenshots of captured

traffic.

5.2. Identifying Vulnerabilities:

• Task:

• Create simple web applications demonstrating XSS, Insecure

Direct Object Reference, and CSRF.

• Use OWASP ZAP and Burp Suite to identify these vulnerabilities.

• Submission:

• Provide the code for the web applications.

• Write a report on the vulnerabilities found and how you identified

them using the tools.