(Autonomous)

Mecheri, Salem Dt, Tamilnadu – 636 453.

(Approved by AICTE, New Delhi & Affiliated to Anna University)
An ISO 9001:2015 certified Institution and accredited by NAAC with A+ grade.

BONAFIDE CERTIFICATE
Name : …………………………………………………………

Reg.No. : …………………………………………………………

Degree : …………………………………………………

Branch : …………………………………………………………

…………………………………………………………

Semester : ……………Year: ……………

Certified that this is the bonafide record of the work done by the above
student in .........................................................................................Laboratory
During the academic year …………………………………

Max. Marks. Marks Secured In Word

Record 20
Attendance 05
Total 25

HEAD OF THE DEPARTMENT LAB-IN-CHARGE

Submitted for University Practical Examination held on………………………………

INTERNAL EXAMINER EXTERNAL EXAMINER

LAB MANNERS

 Students must be present in proper dress code and wear the ID card.

 Students should enter the log-in and log-out time in the log register withoutfail.
 Students are not allowed to download pictures, music, videos or files
without the permission of respective lab in-charge.
 Student should wear their own lab coats and bring observation notebooks to the laboratory
classes regularly.
 Record of experiments done in a particular class should be submitted in

the next lab class.

 Students who do not submit the record notebook in time will not be allowed to do the next
experiment and will not be given attendance for that laboratory class.

 Students will not be allowed to leave the laboratory until they complete the experiment.

 Students are advised to switch-off the Monitors and CPU when they leave the lab.

 Students are advised to arrange the chairs properly when they leave the lab.
 College
Vision
 To improve the quality of human life through multi-disciplinary programs in Engineering,
architecture and management that are internationally recognized and would facilitate research
work to incorporate social economical and environmental development.
Mission
 To create vibrant atmosphere that creates competent engineers innovators, scientists,
entrepreneurs, academicians and thinks of tomorrow.
 To establish centers of excellence that provides sustainable solutions to industry and society.
 To enhance capability through various value added programs so as
 to meet the
 challenges of dynamically changing global needs.

Department
Vision
 The vision of the Artificial Intelligence and Data Science department is to make the students
community pioneers in Information Technology, Analysis of new Technology, learning new
advanced Technology, research and to produce creative solutions to society needs.
Mission
 To provide excellence in advanced education, new innovation in software services.
 To provide quality education and to make the students employable
 Continuous up gradation of new technology for reaching success of excellence in a global
improvement in Information Technology

PROGRAM EDUCATIONAL OBJECTIVES (PEOs)

 Utilize their proficiencies in the fundamental knowledge of basic science, Artificial
intelligence, Data science and statistics to build systems that require and analysis of large
volumes of data.
 Advance their technical skills to pursue pioneering research in the field of science and create
disruptive and sustainable solutions for the welfare of ecosystem.
 Think logically, pursue lifelong learning and collaborate with an ethical a multidisciplinary
team.
 Design and model AI based solutions to critical problems in the real world.
 Exhibit innovative thoughts and creative ideas for effective contribution towards building.
 Program Outcomes

Engineering knowledge: Apply the knowledge of mathematics, science,

PO1 engineering fundamentals, and an engineering specialization to the solution of
complex engineering problems.
Problem analysis: Identify, formulate, review research literature, and
PO2 analyze complex engineering problems reaching substantiated
conclusions using first principles of mathematics, natural sciences, and
engineering sciences.
Design/development of solutions: Design solutions for complex engineering
PO3 problems and design system components or processes that meet the specified
needs with appropriate consideration for the public health and safety, and the
cultural, societal, and environmental considerations.
Conduct investigations of complex problems: Use research-based
PO4 knowledge and research methods including design of experiments, analysis
and interpretation of data, and synthesis of the information to provide valid
conclusions.
Modern tool usage: Create, select, and apply appropriate techniques,
PO5 resources, and modern engineering and IT tools including prediction and
modelling to complex engineering activities with an understanding of the
limitations.
The engineer and society: Apply reasoning informed by the contextual
PO6 knowledge to assess societal, health, safety, legal and cultural issues and the
consequent responsibilities relevant to the professional engineering practice.
Environment and sustainability: Understand the impact of the
PO7 professional engineering solutions in societal and environmental contexts,
and demonstrate the knowledge of, and need for sustainable development.
Ethics: Apply ethical principles and commit to professional ethics and
PO8 responsibilities and norms of the engineering practice.

Individual and team work: Function effectively as an individual, and as a

PO9 member or leader in diverse teams, and in multidisciplinary settings.

Communication: Communicate effectively on complex engineering activities

PO10 with the engineering community and with society at large, such as, being able
to comprehend and write effective reports and design documentation, make
effective presentations, and give and receive clear instructions.

Project management and finance: Demonstrate knowledge and

PO11 understanding of the engineering and management principles and apply these
to one’s own work, as a member and leader in a team, to manage projects and
in multidisciplinary environments.
Life-long learning: Recognize the need for, and have the preparation and
PO12 ability to engage in independent and life-long learning in the broadest context
of technological change.
 CCS374 WEB APPLICATION SECURITY LTPC2023

COURSE OBJECTIVES
 To understand the fundamentals of web application security
 To focus on wide aspects of secure development and deployment of web applications
 To learn how to build secure APIs
 To learn the basics of vulnerability assessment and penetration testing
 To get an insight about Hacking techniques and Tools
PRACTICAL EXERCISES: 30 PERIODS
1. Install wireshark and explore the various protocols
(a).Analyze the difference between HTTP vs HTTPS
(b).Analyze the various security mechanisms embedded with different protocols.
2. Identify the vulnerabilities using OWASP ZAP tool
3. Create simple REST API using python for following operation
. (a).GET
(b).PUSH
(c).POST
(d).DELETE
4. Install Burp Suite to do following vulnerabilities:
. (a).SQL injection
(b).cross-site scripting (XSS)
5. Attack the website using Social Engineering method

COURSE OUTCOMES
CO1: Understanding the basic concepts of web application security and the need for it
CO2: Be acquainted with the process for secure development and deployment of web applications
CO3: Acquire the skill to design and develop Secure Web Applications that use Secure APIs
CO4: Be able to get the importance of carrying out vulnerability assessment and penetration testing
CO5: Acquire the skill to think like a hacker and to use hackers tool sets

CO’s- PO’s & PSO’s MAPPING

CO’s PO’s PSO’s
1 2 3 4 5 6 7 8 9 10 11 12 1 2 3
1 1 2 2 1 3 - - - - - - 1 - - -
2 2 1 2 1 3 - - - - - - - - - -
3 1 1 1 2 3 - - - - - - 1 - - -
4 1 2 1 1 2 - - - - - - - - - -
5 1 2 2 2 2 - - - - - - 1 - - -
AVg. 1.2 1.6 1.6 1.4 2.6 - - - - - - 0.6 - - -
1 - low, 2 - medium, 3 - high, ‘-' - no correlation
 INDEX

Ex:No: Date: Name of the Exercise Pg:No: Mark: Sign:

Install wireshark and explore the various

protocols
1A
(Analyze the difference between HTTP vs
HTTPS)
Install wireshark and explore the various
protocols
1B (Analyze the various security mechanisms
embedded with different protocols.)

Identify the vulnerabilities using OWASP

2 ZAP tool

Create simple REST API using python for

3 following operation
(GET,PUSH,POST,DELETE)
Install Burp Suite to do following
vulnerabilities:
4A
SQL injection

Install Burp Suite to do following

4B vulnerabilities
Cross-site scripting (XSS)

Attack the website using Social Engineering

5 method
Ex:No:1 A Install wireshark and explore the various protocols
Date: Analyze the difference between HTTP vs HTTPS

Aim:

To Analyze the difference between HTTP vs HTTPS

Algorithm:

Step 1: Start
Step 2: Install wireshark
Step 3: Start wireshark
Step 4: Analyze the difference between HTTP vs HTTPS
Step 5: View Server Output
Step 6: Stop

Program:

# Installing wireshark in Ubuntu:

sudo apt install wireshark
sudo usermod -aG wireshark $USER
sudo wireshark

# capture HTTP traffic:

sudo tcpdump -i <interface> -w http_traffic.pcap 'port 80'
# capture HTTP traffic:
sudo tcpdump -i <interface> -w https_traffic.pcap 'port 443'
# open captured files in wireshark:
wireshark -r http_traffic.pcap
wireshark -r https_traffic.pcap

# Replace with your network interface.

<interface>
Output:
Result:
Thus, the experiment to analyze the difference between HTTP vs HTTPS
is executed and verified successfully.
Ex:No:1 B Install wireshark and explore the various protocols
Date: Analyze the various security mechanisms embedded with different protocols.

Aim:
To Analyze the various security mechanism embedded with different
protocols

Algorithm:
Step 1: Start
Step 2: Start wireshark
Step 3: Analyze the various security mechanism embedded with different
protocol
Step 4: View Server Output
Step 5: Stop

Program:
#capture HTTPS traffic:
sudo tcpdump -i <interface> -w https_traffic.pcap 'port 443'

#capture IPsec traffic:

sudo tcpdump -i <interface> -w ipsec_traffic.pcap 'ip proto 50 or ip proto
51'
#capture SSH traffic:
sudo tcpdump -i <interface> -w ssh_traffic.pcap 'port 22'

#capture WPA/WPA2 traffic:

sudo tcpdump -i <wireless_interface> -w wpa_traffic.pcap 'type mgt
subtype assoc-req or type mgt subtype assoc-resp'

#capture DNSSEC traffic:

sudo tcpdump -i <interface> -w dnssec_traffic.pcap 'port 53'
#capture OAuth traffic:
sudo tcpdump -i <interface> -w oauth_traffic.pcap 'port 443 and
(tcp[((tcp[12] & 0xf0) >> 2):1] = 0x16 or tcp[((tcp[12] & 0xf0) >> 2):1] =
0x80)'
#after capturing packets , analyze them using wireshark:
wireshark -r <filename.pcap>

Replace <filename.pcap> with the name of the captured file. This opens
Wireshark with the specified packet capture file for detailed analysis.
Output:

Result:
Thus, the experiment to analyze the various security mechanism
embedded with different protocols is executed and verified successfully.
Ex:No:2 Identify the vulnerabilities using OWASP ZAP tool
Date:

Aim:
To Identify the Vulnerabilities Using Owasp Zap Tool

Procedure:

1. Install OWASP ZAP:

 Download and install OWASP ZAP from the official website.
2. Configure Browser Proxy
 Set up your browser to use ZAP as a proxy server (Default: localhost,
Port: 8080).
Experiment Steps:
1. Launch OWASP ZAP:
 Open the OWASP ZAP tool
2. Start ZAP Proxy:
 In ZAP, click on the 'Quick Start' tab.
 Start the ZAP Proxy.
3. Set Target Application:
 Go to the "Sites" tab.
 Enter the URL of the target application.
 Right-click on the URL and choose "Include in Context" > "Default Con-
text" to add it for scanning.
4. Spider the Application:
 Go to the "Spider" tab.
 Right-click on the target URL and select "Spider" to crawl the application.
 Let ZAP crawl and map the application structure.
5. Active Scan:
 Go to the "Attack" tab.
 Choose "Active Scan."
 Configure the scan settings (scope, intensity, etc.).
 Start the active scan on the target application.
6. Review Scan Results:
 After the scan completes, go to the "Alerts" tab.
 View the list of vulnerabilities discovered by ZAP.
7. Investigate Vulnerabilities:
 Click on each vulnerability to get detailed information.
 Verify and understand the nature and potential impact of each issue.
8. Prioritize and Document:
 Prioritize vulnerabilities based on severity and potential impact.
 Document the identified vulnerabilities with descriptions, severity levels,
affected URLs, and possible remediation steps.
9. Report Generation:
 Go to the "Report" tab.
 Generate a comprehensive report summarizing the identified vulnerabili-
ties and their details.
 Choose the appropriate report format (HTML, PDF, etc.).
10. Remediation and Re-scan:
 Work on fixing or mitigating the identified vulnerabilities.
 After making changes, perform another scan using ZAP to verify that the
issues have been resolved.
11. Continuous Monitoring:
 Schedule regular scans using ZAP to continuously monitor the applica-
tion's security posture.
 Regularly review and update the security measures based on new findings
Result:
Thus, the experiment to identify vulnerabilities using OWASP Zap tool is
executed and verified successfully.
Ex:No:3 Create simple REST API using python for following operation
Date: (GET,PUSH,POST,DELETE)

Aim:

To create a simple REST API using python to do the GET, POST, PUT
and DELETE operations

Algorithm:

Step 1: Start
Step 2: Install Flask
Step 3: Start the Flask App
Step 4: Use Postman to Test Endpoints
Step 5: View Server Output
Step 6: Stop

Program:

from flask import Flask, jsonify, request

app = Flask( name )
# Sample data
data = [
{'id': 1, 'name': 'Item 1'},
{'id': 2, 'name': 'Item 2'},
{'id': 3, 'name': 'Item 3'}
]
# GET request to retrieve all items
@app.route('/items', methods=['GET'])
def get_items():
return jsonify({'items': data})
# GET request to retrieve a specific item by ID
@app.route('/items/<int:item_id>', methods=['GET'])
def get_item(item_id):
item = next((item for item in data if item['id'] == item_id), None)
if item:
return jsonify({'item': item})
else:
return jsonify({'message': 'Item not found'}), 404
# POST request to add a new item
@app.route('/items', methods=['POST'])
def add_item():
 new_item = {'id': len(data) + 1, 'name': request.json['name']}
data.append(new_item)
return jsonify({'item': new_item}), 201
# PUT request to update a specific item by ID
@app.route('/items/<int:item_id>', methods=['PUT'])
def update_item(item_id):
item = next((item for item in data if item['id'] == item_id), None)
if item:
item['name'] = request.json['name']
return jsonify({'item': item})
else:
return jsonify({'message': 'Item not found'}), 404
# DELETE request to remove a specific item by ID
@app.route('/items/<int:item_id>', methods=['DELETE'])
def delete_item(item_id):
global data
data = [item for item in data if item['id'] != item_id]
return jsonify({'message': 'Item deleted'}), 200
if name == ' main ':
app.run(debug=True)

Procedure and Output:

Step 1: Install Flask

>>>pip install flask

Step 2: Start the Flask App

Save the code as app.py and execute
>>>python app.py
Copy the url produced http://127.0.0.1:5000

Step 3: Use Postman to Test Endpoints

1. GET Request to Retrieve All Items:

 Set the request type to GET.
 Enter the URL: http://127.0.0.1:5000/items
 Click "Send."
2. GET Request to Retrieve a Specific Item by ID:
 Set the request type to GET.
 Enter the URL for a specific item ID, for example:
http://127.0.0.1:5000/items/1
 Click "Send."
3. POST Request to Add a New Item:
 Set the request type to POST.
 Enter the URL: http://127.0.0.1:5000/items
 Go to the "Body" tab, select "raw" and choose "JSON (applica-
tion/json)".Enter the request body
 Click "Send."

4. PUT Request to Update an Existing Item:

 Set the request type to PUT.
 Enter the URL for a specific item ID, for example:
http://127.0.0.1:5000/items/1
  Go to the "Body" tab, select "raw" and choose "JSON (applica-
tion/json)".
 Enter the updated information
 Click "Send."

5. DELETE Request to Remove a Specific Item by ID:

 Set the request type to DELETE.
 Enter the URL for a specific item ID, for example:
http://127.0.0.1:5000/items/1
 Click "Send."
Step 4: View Server Output

Result:
Thus, the experiment to create a simple REST API using python to do the
GET, POST, PUT and DELETE operations is executed and verified successfully.
Ex:No:4 A Install Burp Suite to do following vulnerabilities:
Date: SQL injection

Aim:
To Install Burp Suite to do following vulnerabilities:
 SQL Injection

Procedure:

1. Install Burpsuite and connect the burpsuite proxy in browser proxy settings.
2. Turn on the intercept and search for the website which needs to be captured.

3. Send the intercepted request to the intruder and load the SQL Injection File
from the device which is already installed.
4. Start the attack in the intruder and search for the requests & responses in the
render screen for SQL Injection.

5. After the attack, some response render shows the username and password for
the webpage.
Result:
Thus the above vulnerability is successfully executed and verified.
Ex:No:4 B Install Burp Suite to do following vulnerabilities
Date: Cross-site scripting (XSS)

Aim:
To Install Burp Suite to do following vulnerabilities:
 Cross-Site Scripting (XSS)

Procedure:

1. Turn on the intercept and search for the website which needs to be captured.
2. Add the captured request to the Target scope.
3. Go to Target section and search for the captured request in the item field and
send the target item to the repeater.

4. The request in the repeater section will be modified and send to the Decoder.
5. Before sending the response to the browser, Copy the URL below and paste
into a browser that to configured to use Burp as its proxy.
6. Open the browser to see the modified response. An alert message is popup
while opening the website.

Result:
Thus the above vulnerability is successfully executed and verified.
Ex:No:5 Attack the website using Social Engineering method
Date:

Aim:

To attach the website using social engineering method

Procedure & Output:

Installation of Social engineering toolkit :
Step 1: Open your Kali Linux Terminal and move to Desktop
>>>cd Desktop

Step 2: As of now you are on a desktop so here you have to create a new
directory named SEToolkit using the following command.
>>>mkdir SEToolkit

Step 3: Now as you are in the Desktop directory however you have created a
SEToolkit directory so move to SEToolkit directory using the following
command

>>>cd SEToolkit

Step 4: Now you are in SEToolkit directory here you have to clone SEToolkit
from GitHub so you can use it.

>>>git clone https://github.com/trustedsec/social-engineer-toolkit

setoolkit/

Step 5: Social Engineering Toolkit has been downloaded in your directory now
you have to move to the internal directory of the social engineering toolkit using
the following command.
>>>cd setoolkit

Step 6: Congratulations you have finally downloaded the social engineering

toolkit in your directory SEToolkit. Now it’s time to install requirements using
the following command.
`pip3 install -r requirements.txt
Step 7: All the requirements have been downloaded in your setoolkit. Now it’s
time to install the requirements that you have downloaded
>>>python setup.py

Step 8: Finally all the processes of installation have been completed now it’s
time to run the social engineering toolkit .to run the SEToolkit type following
command.
>>>Setoolkit

Step 9: At this step, setoolkit will ask you (y) or (n). Type y and your social
engineering toolkit will start running.
Step 10: Now your setoolkit has been downloaded into your system now it’s
time to use it .now you have to choose an option from the following
options .here we are choosing option 2

Website Attack Vector

Option: 2

Step 11: Now we are about to set up a phishing page so here we will choose
option 3 that is the credential harvester attack method.
Option: 3

Step 12: Now since we are creating a Phishing page so here we will choose
option 1 that is web templates.

Option: 1
Step 13: Create a google phishing page so choose option 2 for that then a
phishing page will be generated on your localhost.

Step 14: Social engineering toolkit is creating a phishing page of google.

RESULT:
Thus, the experiment to attach the website using social engineering
method is executed and verified successfully.