Student ID Number

(Do not include student  XXXXXXXXX

name as anonymous
marking is implemented)
 
Computing Technologies (QA)
Programme Title

 
Web Application Security
Module Title

 
Module Code (listed on QAC020N256S
Moodle and in LTAFP)

 
Shahbaz Ahmad
Module Convenor

 
Design and Develop Web Application Security
Coursework Title Testing

Academic Declaration:
Students are reminded that the electronic copy of their essay may be checked, at
any point during their degree, with Turnitin or other plagiarism detection software
for plagiarised material.

 
2237 Date
Word Count  06/03/2020
Submitted
 DIM18457528

Table of Contents:
1. Introduction 3
2. Set up a fully functioning Web Applications 4
2.1. Configuration details of the environment setup Virtual Box 4
2.2. Configuration details of the environment setup XAMPP/WAMP 9
2.3. Web/application and back-end database 15
3. Web Application Security Testing 20
3.1. Nmap scanning 20
3.2. Wireshark Sniffing 26
3.3. SQL Injection using SQLMAP 30
4. Design and Implement a web security model 35
4.1. Firewall 35
4.2. IDS/IPS 36
4.3. Antivirus 37
4.4. Encryption 38
5. Referencing and Bibliography 39

2
 DIM18457528

1. Introduction

Security means the process of maintaining an acceptable level of risk. As Mitch

Kabay said “Security is a process, not an end state.”
For modern businesses, web applications have become the main vulnerability.
Currently, the activities of each company depend on the web and cloud technologies.
Gartner reports that most attacks are for web applications, overall 80%. Usually, these
interventions the vulnerabilities of moderated in the application code. The factors that
lead to the vulnerability of web applications are: low security of web applications; public
accessibility of the internet, which allows external attackers to reach the confidential
data of companies; increasing complexity.

Figure1. Web Applications Security Risk (source: www.owasp.org )

For the following assignment, it was offered a scenario which will give opportunity
to explain what a security analysis means, as our role is a trainee Web Application
Security Analyst. Our responsibilities are to deliver the web/application security
testing, as our client web site contains possible security vulnerabilities, and deliver
answers that might give responsible assumptions.

3
 DIM18457528

2. Set up a fully functioning Web Applications

2.1. Configuration details of the environment setup (XAMPP/WAMP, Virtual

Box etc.)
 Go to www.virtualbox.org
 Once the home page is open Click on Downloads button located to the left side
of the screen

Figure2. VirtualBox webpage

 Under the VirtualBox binaries we are looking the correct version of VirtualBox
depending of what operate system we are using. Because I use Windows, I will
choose Windows hosts. Web page will provide the last version for downloading
day.

4
 DIM18457528

Figure3. VirtualBox webpage

 Once the downloading is completed, lunch the downloading file to start the
installation, and follow the required steps.

Figure4. Download VirtualBox

Figure4.1. VirtualBox Installation

5
 DIM18457528

Figure4.2. VirtualBox Installation

Figure4.3. VirtualBox Installation

Figure4.4. VirtualBox Installation

6
 DIM18457528

Figure4.5. VirtualBox Installation

Figure4.6. VirtualBox Installation

 Once the installation is complete press Finish and the VirtualBox Machine will be
open.

7
 DIM18457528

Figure5. VirtualBox Machine

 Click Start button to open VirtualBox application window. Click Change Network
Settings to set Bridged Adapter.

Figure6. Possible error when VirtualBox will run

 When the process will be completed, we have to set up username and password,
for our project we will use:

8
 DIM18457528

Figure7. VirtualBox main screen

2.2. Configuration details of the environment setup XAMPP/WAMP

Figure8. XAMPP download

9
 DIM18457528

Figure8.1. XAMPP download

Figure8.2. XAMPP download

10
 DIM18457528

Figure9. XAMPP installation

Figure9.1. XAMPP installation

11
 DIM18457528

Figure9.2. XAMPP installation

Figure9.3. XAMPP installation

12
 DIM18457528

Figure9.4. XAMPP installation

Figure9.5. XAMPP installation

13
 DIM18457528

Figure9.6. XAMPP installation

Figure9.10. XAMPP installation

14
 DIM18457528

Figure9.11. XAMPP installation

2.3. Web/application and back-end database

Figure10. Back-end database illustration

15
 DIM18457528

Figure11. Lunch XAMPP application

Figure12. Start running MySQL Database

16
 DIM18457528

Figure13. Lunching 127.0.0.1 to test XAMPP

Figure14. Lunching localhost to check XAMPP

2.3.1. Mutillidae Installation

Go to following link address http://www.irongeek.com/i.php?page=mutillidae/mutillidae-
deliberately-vulnerable-php-owasp-top-10%20 and download Mutillidae ZIP folder.

17
 DIM18457528

Figure15. Download mutillidae

Figure16. Unzip Mutillidae folder

Next step copy folder in XAMPP folder location /htdocs/

18
 DIM18457528

Figure17. Mutillidae installation

Go to browser open localhost/mutillidae/ and will be open

Figure18. Lunching localhost/mutilidae web site

19
 DIM18457528

Figure19. Page screen for user Lookup (SQL)

3. Web Application Security Testing

3.1. Nmap scanning
To install Nmap scanning in VirtualBox open the link www.nmap.org into browser.

20
 DIM18457528

Figure20. Nmap download

Figure21. Nmap download

To open Nmap scanning go to Terminal insert sudo nmap → Enter→ Password

cybercops, system will provide all the option available with Nmap which we can use
them for different methods of scanning.

21
 DIM18457528

Figure22. Nmap options for scanning

Figure. Nmap example for scaning

In the example section it shown an example what a basic Nmap run will look like,
it got Nmap command after that it go parameter -v -A that will bring results depending
on what we want out of those results. -v prints the version number, the address name, -
A prints operating system detection, version detection, script scanning. Before to get

22
 DIM18457528

that Nmap scanning is giving a free testing scanning machine that they will allow you to
scan this scanme.nmap.org. This web site is giving permission to scan an IP address

Figure23. Nmap website for scanning

Second example: nmap -v -sn 192.168.0.0/16 10.0.0.0/8, show the range of IP

addresses.

Figure24. Result for scanning an IP address

23
 DIM18457528

 Scanning Open Ports

To scan open ports, open the terminal and enter nmap -A -T4 localhost. The scan
will take from few seconds to a few minutes, that’s depends on your local network and
device.

Figure25. Result for scanning open ports

From the above picture can be notice that we have got only one open port.

 Scan your network

Enter ifconfig to determine the IP address in terminal screen and we will fiend as
well subnet mask for this host. In the following example, the IP address is 127.0.0.1 and
the subnet mask is 255.0.0.0.

24
 DIM18457528

Figure26. Ifconfig command

Enter nmap -A -T4 network address/prefix to locate the host from the LAN. The
last octet of the IP address will be replaced with a zero. Therefore, the network address
is 127.0.0.1 The /8 is the prefix and netmask are 255.0.0.0.

Figure27. nmap -A -T4 command

 Scan a remote server

Enter nmap -A -T4 scanme.nmap.org in the terminal screen.

25
 DIM18457528

Figure28. nmap -A -T4 command

Can be noticed that after scanning website scanme.nmap.org in 53.34 second it

was found 256 IP addresses, and the operating system for it is Linux. To access the
vulnerable ports of the hacker, use the Nmap application. You just need to run Nmap on
a target system to successfully access it and find out the weaknesses and plan how it
can be exploited.

3.2. Wireshark Sniffing

26
 DIM18457528

To run Wireshark, we have 2 options: First is to lunch it from terminal screen with option
sudo wireshark-gtk and second is to Start the CyberOps from Workstation VM:
Applications → CyberOPS → Wireshark.

Figure29. Launching Wireshark

Figure30. Wireshark network screen

Open SQL_Lab.pcap file, in the lab.suport.files from /home/analyst:

27
 DIM18457528

Figure31. Source of lab.suport.files

Figure32. Open lab.suport.files

With Wireshark I will choose to attack line 16 because it has HTTP request.

28
 DIM18457528

Figure33. HTTP Request.

Source traffic is in red color, blue color is the device destination which respond
back to source:

Figure34. HTTP Stream

29
 DIM18457528

I will register a query (1’ or 1=1 union select database (), user () #) into a UserID
exploration box on the target 10.0.2.15, as a result, we will receive an error message as
a failure to identify:

Figure35. HTTP Stream

30
 DIM18457528

3.3. SQL Injection using SQLMAP

One of the most widespread and critical vulnerabilities existing so far in
enterprise security is SQL injection. The popular tool that helps penetration testing to
automatically detect and exploit SQL injection flaws is SQLmap.
To install SQLMap:
1. Open browser go to www.sqlmal.org , download zip folder
2. Unzip the folder, and install the program.

Figure36. Lunching SQLMap

31
 DIM18457528

The simple command to injection is Sqlmap.py -u <URL to inject>

Opening mutillidae localhost, I will copy the URL which I will use for injection, to
keep my injection legal.

Figure37. Localhost URL for mutillidae

Testing Localhost mutillidae

Figure38. Insert command in VirtualBox for testing mutillidae URL

32
 DIM18457528

Figure39. Result mutillidae URL

Scan database

Obtain the names of available databases we will use the command:

Figure40. Insert command in VirtualBox for testing mutillidae databases

In the following picture ca can notice that after scanning it was found 6 databases:

Figure41. Result for testing mutillidae URL

33
 DIM18457528

Scan table

To specify the wanted database use –D and tell SQLmap to show the tables following
–tables command:

Figure42. Insert command in VirtualBox to list the tables

Figure43. Result for mutillidae tables

In figure xx SQLmap found 13 tables for MariaDB fork, after that in the next step I will try
to enter in on of table. As usual, I will use –D for database, -T for table and –dump for
data:

34
 DIM18457528

Scan database table entries

Figure44. Insert command in VirtualBox to open a table

Figure45. Result for table credit card

Scanning the table credit_card from mutillidae database we have got 5 cards, with their
details.

35
 DIM18457528

4. Design and Implement a web security model

4.1. Firewall
Being designed as a system to prevent unauthorized access to a private network,
Firewall creates a security barrier between the public internet and a private network,
because hackers and malicious traffic will always appear in the private Network. The
firewall is the principal component to block this and is very essential for big
organizations that have plenty of workstations and servers on them because they don’t
want hackers to swap totally their organization. Firewall operates by filter incoming
network data and has some laws to allow or deny traffic using an access control list
(ACL).

Figure46. Firewall code setup

36
 DIM18457528

4.2. IDS/IPS
These two systems, one intrusion detection (IDS) and the other intrusion
prevention (IPS) are part of the network infrastructure. Those systems compare network
packets to a database called cyberthreat, which contains cyberattacks signatures - and
marks any fitting packets.

Figure47. IDS vs IPS (source: www.varonis.com )

An intrusion detection system (IDS) it is essentially an ad-hoc security solution

which aims to protect vulnerable computing systems. Major tasks of a detection system
a intrusions (IDS) are those to collect data from to a system, to analyse this data to
discover relevant security and security events to present the results of the analysis to
the system administrator.
IPS is built to react to suspicious activity by shutting down the connection or by
reprogramming the firewall to stop any traffic from the doubted malicious source. This
can be done at the command of an operator or automatically.

37
 DIM18457528

4.3. Antivirus

The antivirus program detects applications and documents from infection. Usually,
running as a background process, antivirus software scans computers, servers or
mobile devices to detect and restrict the spread of viruses. Antivirus software programs
include real-time threat detection and protection, protecting the private network from
potential vulnerabilities, regularly scanning device files and looking for potential risks.

Figure48. Codes to install Sophos Anti-Virus

38
 DIM18457528

4.4. Encryption
Encryption represent the process of encoding a message so that its meaning is
not obvious. First step or encryption is to create a new key. When encrypting data, it is
highly recommended to use a different key for each piece of data. Fortunately, Ionic
makes creating new keys very simple with a single line of code. Second step is
initializing AES cipher. In order to initialize an AES cipher, we need to provide a key. In
this example we are using the newly created key. After the AES cipher has been
initialized, encryption is simply a matter of calling encrypt. After data has been
encrypted, it is typically encoded into a payload that includes both the data and the key
ID. Remember, the recipient of the data must have the key ID, or an external ID, in
order to request to correct key from the Ionic platform. Before encrypted data can be
stored or transmitted, it needs to be packaged with the  keyId. Keeping
the ciphertext and the keyId together is critical. Without the keyId, it would be
impossible to determine which key is needed to decrypt the data.

Figure49. Example for Encryption

39
 DIM18457528

5. Referencing and Bibliography

Bryan Sullivan, V. L. (2011). Web Application Security, A Beginner's Guide. McGraw Hill Professional.

Carlos Serrao, V. A. (2010). Web Application Security: Iberic Web Application Security Conference, IBWAS
2009, Madrid, Spain, December 10-11, 2009. Revised Selected Papers. Springer.

Clarke-Salt, J. (2009). SQL Injection Attacks and Defense. Syngress.

Cross, M. (2007). Developer's Guide to Web Application Security. Syngress Publishing.

Dafydd Stuttard, M. P. (2011). The Web Application Hacker's Handbook: Finding and Exploiting Security
Flaws. John Wiley & Sons.

Hoffman, A. (2020). Web Application Security: Exploitation and Countermeasures for Modern Web
Applications. O'Reilly Media, Incorporated.

Joel Scambray, M. S. (2006). Hacking Exposed Web App. McGraw-Hill Education (India) Pvt Limited.

Joel Scambray, V. L. (2010). Hacking Exposed Web Applications, Third Edition. McGraw Hill Professional.

Khawaja, G. (2018). Practical Web Penetration Testing: Secure web applications using Burp Suite, Nmap,
Metasploit, and more. Packt Publishing Ltd.

Kim, P. (2018). The Hacker Playbook 3: Practical Guide to Penetration Testing. Independently Published.

Lepofsky, R. (2014). The Manager's Guide to Web Application Security: A Concise Guide to the Weaker
Side of the Web. Apress.

Prasad, P. (2016). Mastering Modern Web Penetration Testing. Packt Publishing Ltd.

Shema, M. (2010). Seven Deadliest Web Application Attacks. Syngress.

Splaine, S. (2002). Testing Web Security: Assessing the Security of Web Sites and Applications. Wiley.

Varonis. (n.d.). Retrieved from https://www.varonis.com/blog/ids-vs-ips/

Vittie, L. M. (2015). Web Application Security is a Stack: How to CYA. IT Governance Ltd.

Zalewski, M. (2011). The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press.

40