St.

PETER'S
COLLEGE OF ENGINEERING & TECHNOLOGY
Affiliated to Anna University | Approved by AICTE
Avadi, Chennai, Tamilnadu – 600 054
Phone: 7358110159/56 website: www.spcet.ac.in email: [email protected]

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

CCS374 - WEB APPLICATION SECURITY LABORATORY

RECORD

NAME :

REG.NO :

BRANCH :

YEAR/SEM :

2023-2024

REGULATION – 2021
 St. PETER'S
COLLEGE OF ENGINEERING & TECHNOLOGY
Affiliated to Anna University | Approved by AICTE
Avadi, Chennai, Tamilnadu – 600 054
Phone: 7358110159/56 website: www.spcet.ac.in email: [email protected]

DEPARTMENT OF COMPUTER SCIENCE ENGINEERING

Bonafide Certificate

NAME…………………………………………………………………..…………………..
YEAR………………………………….SEMESTER…………..…………………………
BRANCH……………………..…………............................................................................
REGISTER NO. ………………………….……………………………………………….

Certified that this bonafide record of work done by the above student of the CCS374 - WEB
APPLICATION SECURITY LABORATORY during the year 2023 – 2024.

Faculty-in-Charge Head of the Department

Submitted for the practical Examination held on............................at St. PETER'S COLLEGE OF

ENGINEERING AND TECHNOLOGY

Internal Examiner External Examiner

 St. PETER'S
COLLEGE OF ENGINEERING & TECHNOLOGY
Affiliated to Anna University | Approved by AICTE
Avadi, Chennai, Tamilnadu – 600 054
Phone: 7358110159/56 website: www.spcet.ac.in email: [email protected]

INDEX

S.
DATE TITLE Pg. No. MARKS SIGN
NO

Install wireshark and explore the various protocols

a. Analyze the difference between HTTP vs HTTPS
1
b. b. Analyze the various security mechanisms
embedded with different protocols

2 Identify the vulnerabilities using OWASP ZAP tool

Create simple REST API using python for following

operation
a. GET
3
b. PUSH
c. POST
d. DELETE
Install Burp Suite to do following vulnerabilities:
4 a. SQL injection
b. cross-site scripting (XSS)

5 Attack the website using Social Engineering method

 St. PETER'S
COLLEGE OF ENGINEERING & TECHNOLOGY
Affiliated to Anna University | Approved by AICTE
Avadi, Chennai, Tamilnadu – 600 054

Phone: 7358110159/56 website: www.spcet.ac.in email: [email protected]

INSTRUCTIONS TO STUDENTS

 Before entering the lab the student should carry the following things
(MANDATORY)
1. Identity card issued by the college.
2. Class notes
3. Lab observation book
4. Lab Manual
5. Lab Record
 Student must sign in and sign out in the register provided when attending thelab
session without fail.
 Come to the laboratory in time. Students, who are late more than 15 min.,will
not be allowed to attend the lab.
 Students need to maintain 100% attendance in lab if not a strict action will be
taken.
 All students must follow a Dress Code while in the laboratory
 Foods, drinks are NOT allowed.
 All bags must be left at the indicated place.
 Refer to the lab staff if you need any help in using the lab.
 Respect the laboratory and its other users.
 Workspace must be kept clean and tidy after experiment is completed.
 Read the Manual carefully before coming to the laboratory and be sure about what
you are supposed to do.
 Do the experiments as per the instructions given in the manual.
 Copy all the programs to observation which are taught in class beforeattending the
lab session.
 Students are not supposed to use floppy disks, pen drives withoutpermission of
lab- Incharge.
 St. PETER'S
COLLEGE OF ENGINEERING & TECHNOLOGY
Affiliated to Anna University | Approved by AICTE
Avadi, Chennai, Tamilnadu – 600 054
Phone: 7358110159/56 website: www.spcet.ac.in email: [email protected]

INSTITUTION VISION

To emerge as an institution of excellence by providing high quality education in

Engineering, Technology and Management to contribute for the economic as well as
societal growth of our nation.

INSTITUTION MISSION

● To impart strong fundamental and value-based academic knowledge in various

Engineering, Technology and Management disciplines to nurture creativity.
● To promote innovative Research and Development activities collaborating with
Industries, R & D organisations and other statutory bodies.
● To provide a conducive learning environment and training so as to empower the
students with dynamic skill development for employability.
● To foster entrepreneurial spirit amongst the students for making a positive
impact on remarkable community development.

QUALITY POLICY

We at St.Peter’s College of Engineering and Technology are committed to provide

value based technical education by continually improving our services to produce qualified
and competent engineers, technologist and management professionals by fulfilling the
statutory and regulatory requirements.
 St. PETER'S
COLLEGE OF ENGINEERING & TECHNOLOGY
Affiliated to Anna University | Approved by AICTE
Avadi, Chennai, Tamilnadu – 600 054
Phone: 7358110159/56 website: www.spcet.ac.in email: [email protected]

DEPARTMENT VISION

Contributing towards progressive socio–economic conditioned nation building process by

creating diligent, adept and responsible computer science engineers.

DEPARTMENT MISSION

⚫ To provide quality engineering education through cutting edge technologies in

computer science and engineering

⚫ To produce a conducive learning milieu to comprehend nitty-gritty of

computing process, edify the students to be a successful professional.

⚫ To establish Industry institution liaison to make the students catering to the

needs of industry

⚫ To promote projects and activities in the promising areas of engineering and technology
 St. PETER'S
COLLEGE OF ENGINEERING & TECHNOLOGY
Affiliated to Anna University | Approved by AICTE
Avadi, Chennai, Tamilnadu – 600 054
Phone: 7358110159/56 website: www.spcet.ac.in email: [email protected]

PROGRAM EDUCATIONAL OBJECTIVES

Program Educational Objectives describe the career and professional accomplishments in five
years after the graduation that the program is preparing graduates to achieve.

 PEO1: Apply their technical competence in computer science to solve real world problems, with
technical and people leadership.

 PEO2: Conduct cutting edge research and develop solutions on problems of social relevance.

 PEO3: Work in a business environment, exhibiting team skills, work ethics, adaptability and
lifelong learning.
 St. PETER'S
COLLEGE OF ENGINEERING & TECHNOLOGY
Affiliated to Anna University | Approved by AICTE
Avadi, Chennai, Tamilnadu – 600 054
Phone: 7358110159/56 website: www.spcet.ac.in email: [email protected]

PROGRAM OUTCOME

Program Outcome describe the knowledge, skills and attitudes the students should acquires at the
end of a four years of engineering program

PO-1. Engineering knowledge: Apply the knowledge of mathematics, science, engineering

fundamentals, and an engineering specialization to the solution of complex engineering
problems.

PO-2. Problem analysis: Identify, formulate, review research literature and analyze complex
engineering problems reaching substantiated conclusions using first principles of mathematics,
natural sciences, and engineering sciences.

PO-3. Design/ development of solutions: Design solutions for complex engineering problems
and design system components or processes that meet the specified needs with appropriate
consideration for the public health and safety, and the cultural, societal, and environmental
considerations.

PO-4. Conduct investigations of complex problems: Use research-based knowledge and research
methods including design of experiments, analysis and interpretation of data, and synthesis of the
information to provide valid conclusions.

PO-5. Modern tool usage: Create, select, and apply appropriate techniques, resources, and
modern engineering and IT tools including prediction and modeling to complex engineering
activities with an understanding of the limitations.

PO-6. The engineer and society: Apply reasoning informed by the contextual knowledge to
assess societal, health, safety, legal and cultural issues and the consequent responsibilities
relevant to the professional engineering practice.

PO-7. Environment and sustainability: Understand the impact of the professional engineering
solutions in societal and environmental contexts, and demonstrate the knowledge of, and need
for sustainable development.
 PO-8. Ethics: Apply ethical principles and commit to professional ethics and responsibilities and norms
of the engineering practice.

PO-9. Individual and team work: Function effectively as an individual, and as a member or leader in
diverse teams, and in multidisciplinary settings.

PO-10. Communication: Communicate effectively on complex engineering activities with the

engineering community and with society at large, such as, being able to comprehend and write effective
reports and design documentation, make effective presentations, and give and receive clear instructions.

PO-11. Project management and finance: Demonstrate knowledge and understanding of the engineering
and management principles and apply these to one’s own work, as a member and leader in a team, to
manage projects and in multidisciplinary environments.

PO-12. Life-long learning: Recognize the need for, and have the preparation and ability to engage in
independent and life-long learning in the broadest context of technological change
 St. PETER'S
COLLEGE OF ENGINEERING & TECHNOLOGY
Affiliated to Anna University | Approved by AICTE
Avadi, Chennai, Tamilnadu – 600 054
Phone: 7358110159/56 website: www.spcet.ac.in email: [email protected]

PROGRAM SPECIFIC OUTCOMES

Program Specific Outcomes are statements that describe what the graduates of a specific engineering
program should be able to do

PSO-1: Exhibit design and programming skills to build and automate business solutions using
cutting edge technologies.

PSO-2: Strong theoretical foundation leading to excellence and excitement towards research, to provide
elegant solutions to complex problems.

PSO-3: Ability to work effectively with various engineering fields as a team to design, build and
develop system applications.
 LIST OF EXPERIMENTS

1. Install wireshark and explore the various protocols

a. Analyze the difference between HTTP vs HTTPS
b. Analyze the various security mechanisms embedded with different protocols.

2. Identify the vulnerabilities using OWASP ZAP tool

3. Create simple REST API using python for following operation

a. GET
b. PUSH
c. POST
d. DELETE

4. Install Burp Suite to do following vulnerabilities:

a. SQL injection
b. cross-site scripting (XSS)

5. Attack the website using Social Engineering method

CO’s-PO’s & PSO’s MAPPING

PO’s PSO’s
CO’s
1 2 3 4 5 6 7 8 9 10 11 12 1 2 3
1 1 2 2 1 3 - - - - - - 1 - - -
2 2 1 2 1 3 - - - - - - - - - -
3 1 1 1 2 3 - - - - - - 1 - - -
4 1 2 1 1 2 - - - - - - - - - -
5 1 2 2 2 2 - - - - - - 1 - - -
AVg. 1.2 1.6 1.6 1.4 2.6 - - - - - - 0.6 - - -
EX.NO:1 Install wireshark and explore the various protocols
DATE: a.Analyze the difference between HTTP vs HTTPS

Aim:

To Analyze the difference between HTTP vs HTTPS

Algorithm:

Step 1: Start
Step 2: Install wireshark
Step 3: Start wireshark
Step 4: Analyze the difference between HTTP vs HTTPS
Step 5: View Server Output
Step 6: Stop

Program:

# Installing wireshark in Ubuntu: sudo apt

install wireshark
sudo usermod -aG wireshark $USER sudo
wireshark

# capture HTTP traffic:

sudo tcpdump -i <interface> -w http_traffic.pcap 'port 80' # capture
HTTP traffic:
sudo tcpdump -i <interface> -w https_traffic.pcap 'port 443' # open
captured files in wireshark:
wireshark -r http_traffic.pcap wireshark -r
https_traffic.pcap
Output:
Result:

Thus, the experiment to analyze the difference between HTTP vs HTTPS is executed
and verified successfully.
EX.NO:1b Install wireshark and explore the various protocols
DATE: Analyze the various security mechanisms embedded with different protocols.

Aim:
To Analyze the various security mechanism embedded with different
protocols

Algorithm:
Step 1: Start
Step 2: Start wireshark
Step 3: Analyze the various security mechanism embedded with different protocol
Step 4: View Server Output Step
Step 5: Stop

Program:
#capture HTTPS traffic:
sudo tcpdump -i <interface> -w https_traffic.pcap 'port 443'

#capture IPsec traffic:

sudo tcpdump -i <interface> -w ipsec_traffic.pcap 'ip proto 50 or ip proto
51'
#capture SSH traffic:
sudo tcpdump -i <interface> -w ssh_traffic.pcap 'port 22'

#capture WPA/WPA2 traffic:

sudo tcpdump -i <wireless_interface> -w wpa_traffic.pcap 'type mgt subtype assoc-
req or type mgt subtype assoc-resp'

#capture DNSSEC traffic:

sudo tcpdump -i <interface> -w dnssec_traffic.pcap 'port 53' #capture
OAuth traffic:
sudo tcpdump -i <interface> -w oauth_traffic.pcap 'port 443 and (tcp[((tcp[12] &
0xf0) >> 2):1] = 0x16 or tcp[((tcp[12] & 0xf0) >> 2):1] = 0x80)'
#after capturing packets , analyze them using wireshark: wireshark -r
<filename.pcap>
Output:

Result:
Thus, the experiment to analyze the various security mechanism embedded with
different protocols is executed and verified successfully.
EX.NO:2 Identify the vulnerabilities using OWASP ZAP tool
DATE:

Aim:
To Identify the Vulnerabilities Using Owasp Zap Tool

Procedure:

 Install OWASP ZAP:

1. Download and install OWASP ZAP from the official website.

 Configure Browser Proxy

1. Set up your browser to use ZAP as a proxy server (Default: local
host, Port: 8080).
Experiment Steps:
● Launch OWASP ZAP:
• Open the OWASP ZAP tool
● Start ZAP Proxy:
• In ZAP, click on the 'Quick Start' tab.
• Start the ZAP Proxy.
● Set Target Application:
• Go to the "Sites" tab.
• Enter the URL of the target application.
• Right-click on the URL and choose "Include in Context" > "Default
Con- text" to add it for scanning.
● Spider the Application:
• Go to the "Spider" tab.
• Right-click on the target URL and select "Spider" to crawl the application.
• Let ZAP crawl and map the application structure.
● Active Scan:
• Go to the "Attack" tab.
• Choose "Active Scan."
• Configure the scan settings (scope, intensity, etc.).
• Start the active scan on the target application.
● Review Scan Results:
• After the scan completes, go to the "Alerts" tab.
• View the list of vulnerabilities discovered by ZAP.
● Investigate Vulnerabilities:
• Click on each vulnerability to get detailed information.
• Verify and understand the nature and potential impact of each issue.
● Prioritize and Document:
• Prioritize vulnerabilities based on severity and potential impact.
• Document the identified vulnerabilities with descriptions, severity levels,
affected URLs, and possible remediation steps.
● Report Generation:
• Go to the "Report" tab.
• Generate a comprehensive report summarizing the identified
vulnerabili- ties and their details.
• Choose the appropriate report format (HTML, PDF, etc.).
● Remediation and Re-scan:
• Work on fixing or mitigating the identified vulnerabilities.
• After making changes, perform another scan using ZAP to verify that
the issues have been resolved.
● Continuous Monitoring:
• Schedule regular scans using ZAP to continuously monitor the
applica- tion's security posture.
• Regularly review and update the security measures based on new findings
Result:
Thus, the experiment to identify vulnerabilities using OWASP Zap tool is executed
and verified successfully.
EX.NO:3 Create simple REST API using python for following operation
DATE:

Aim:

To create a simple REST API using python to do the GET, POST, PUT and DELETE
operations

Algorithm:

Step 1: Start
Step 2: Install Flask
Step 3: Start the Flask App
Step 4: Use Postman to Test Endpoints
Step 5: View Server Output
Step 6: Stop

Program:

from flask import Flask, jsonify, request app =

Flask( name )
# Sample data data
=[
{'id': 1, 'name': 'Item 1'},
{'id': 2, 'name': 'Item 2'},
{'id': 3, 'name': 'Item 3'}
]
# GET request to retrieve all items
@app.route('/items', methods=['GET']) def
get_items():
return jsonify({'items': data})
# GET request to retrieve a specific item by ID
@app.route('/items/<int:item_id>', methods=['GET']) def
get_item(item_id):
item = next((item for item in data if item['id'] == item_id), None) if item:
return jsonify({'item': item}) else:
return jsonify({'message': 'Item not found'}), 404 #
POST request to add a new item @app.route('/items',
methods=['POST'])
def add_item():
 new_item = {'id': len(data) + 1, 'name': request.json['name']}
data.append(new_item)
return jsonify({'item': new_item}), 201
# PUT request to update a specific item by ID
@app.route('/items/<int:item_id>', methods=['PUT']) def
update_item(item_id):
item = next((item for item in data if item['id'] == item_id), None) if item:
item['name'] = request.json['name'] return
jsonify({'item': item})
else:
return jsonify({'message': 'Item not found'}), 404 #
DELETE request to remove a specific item by ID
@app.route('/items/<int:item_id>', methods=['DELETE']) def
delete_item(item_id):
global data
data = [item for item in data if item['id'] != item_id] return
jsonify({'message': 'Item deleted'}), 200
if name == ' main ':
app.run(debug=True)

Procedure and Output:

Step 1: Install Flask

>>>pip install flask

Step 2: Start the Flask App

Save the code as app.py and execute
>>>python app.py
Copy the url produced http://127.0.0.1:5000

Step 3: Use Postman to Test Endpoints

⚫ GET Request to Retrieve All Items:

• Set the request type to GET.
• Enter the URL: http://127.0.0.1:5000/items
• Click "Send."
⚫ GET Request to Retrieve a Specific Item by ID:
• Set the request type to GET.
• Enter the URL for a specific item ID, for example:
http://127.0.0.1:5000/items/1

• Click "Send."
⚫ POST Request to Add a New Item:
• Set the request type to POST.
• Enter the URL: http://127.0.0.1:5000/items
• Go to the "Body" tab, select "raw" and choose "JSON
(applica- tion/json)".Enter the request body
• Click "Send."

⚫ PUT Request to Update an Existing Item:

• Set the request type to PUT.
• Enter the URL for a specific item ID, for example:
http://127.0.0.1:5000/items/1
 • Go to the "Body" tab, select "raw" and choose "JSON
(applica- tion/json)".
• Enter the updated information
• Click "Send."

⚫ DELETE Request to Remove a Specific Item by ID:

• Set the request type to DELETE.
• Enter the URL for a specific item ID, for example:
http://127.0.0.1:5000/items/1
• Click "Send."
Step 4: View Server Output

Result:
Thus, the experiment to create a simple REST API using python to do the GET, POST, PUT
and DELETE operations is executed and verified successfully.
EX.NO:4 Install Burp Suite to do following vulnerabilities
DATE:

Aim:
To Install Burp Suite to do following vulnerabilities:
 SQL Injection

Procedure:

1. Install Burpsuite and connect the burpsuite proxy in browser proxy settings.
2. Turn on the intercept and search for the website which needs to be captured.

3. Send the intercepted request to the intruder and load the SQL Injection File
from the device which is already installed.
4. Start the attack in the intruder and search for the requests & responses in
the render screen for SQL Injection.

5. After the attack, some response render shows the username and password
for the webpage.
Result:
Thus the above vulnerability is successfully executed and verified.