Secure coding and Software

vulnerability
Lab Manual
Department of Computer Science and Engineering
The NorthCap University, Gurugram
 SCV|2

Secure Coding and software Vulnerability

Lab Manual
CSL283

Dr. Mehak Khurana

Department of Computer Science and Engineering

NorthCap University, Gurugram- 122001, India

Session 2021-2022
 SCV|3

Published by:

School of Engineering and Technology

Department of Computer Science & Engineering

The NorthCap University Gurugram

• Laboratory Manual is for Internal Circulation only

© Copyright Reserved

No part of this Practical Record Book may be

reproduced, used, stored without prior permission of The NorthCap University

Copying or facilitating copying of lab work comes under cheating and is considered as use of
unfair means. Students indulging in copying or facilitating copying shall be awarded zero marks
for that particular experiment. Frequent cases of copying may lead to disciplinary action.
Attendance in lab classes is mandatory.

Labs are open up to 7 PM upon request. Students are encouraged to make full use of labs beyond
normal lab hours.

PREFACE
 SCV|4

Secure Coding and Software Vulnerability Lab Manual is designed to meet the course and
program requirements of NCU curriculum for B.Tech IIIsemester students of CSE Cyber
Security Specialization . The concept of the lab work is to give brief practical experience for
basic lab skills to students. It provides the space and scope for self-study so that students can
come up with new and creative ideas.

The Lab manual is written on the basis of “teach yourself pattern” and expected that students
who come with proper preparation should be able to perform the experiments without any
difficulty. Brief introduction to each experiment with information about self-study material is
provided.
The Laboratory includes common softwarevulnerabilities and how to find them, as well as how
the vulnerabilities can be exploited usingreverse engineering &its tools. It also includes how
buffer overflow attack happens and howattackers utilize it to gain access to the vulnerable
system. Finally, at the end popular web SQLinjection attack, and their common defense is
implemented.At the start of each experiment a question bank for preparation and practice is
suggested which may be used to test the basic understanding of the students about the
experiment. Students are expected to come thoroughly prepared for the lab. General disciplines,
safety guidelines and report writing are also discussed.

The lab manual is a part of curriculum for the TheNorthCap University, Gurugram. Teacher’s
copy of the experimental results and answer for the questions are available as sample guidelines.

We hope that lab manual would be useful to students of CSE, IT, ECE and BSc branches and
author requests the readers to kindly forward their suggestions / constructive criticism for further
improvement of the workbook.

Author expresses deep gratitude to Members, Governing Body-NCU for encouragement and
motivation.

Authors
The NorthCap University
Gurugram, India

CONTENTS

S.N. Details Page No.

 SCV|5

Syllabus VI-IX

1 Introduction X

2 Lab Requirement XI

3 General Instructions XII-XIII

4 List of Experiments XIV-XV

8 Annexure 1 (Format of Lab Report) XVII

9 Annexure 2 (Format of Lab Certificate) 48

 SCV|6

COURSE TEMPLATE

1. Department: Department of Computer Science and Engineering

3. Course Code 4. L-T-P 5. Credits
2. Course Name: Secure Coding and
Vulnerabilities CSL283 2-0-4 4

6. Type of Course 
Programme Core Programme Elective Open Elective
(Check one):

7. Pre-requisite(s), if any: Any programming Language

8. Frequency of offering (check one):

Odd Even Either semester

 Every semester

9. Brief Syllabus:
This course deals with security architecture elements within modern object-oriented programming
languages that create the framework for secure programming. This course would cover the design
and implementation of secure systems. Coding Standards, best practices, guidelines and style will
further enhance the ability to develop secure code. This course includes common software
vulnerabilities and how to find them, as well as how the vulnerabilities can be exploited using
reverse engineering & its tools. It also includes how buffer overflow attack happens and how
attackers utilize it to gain access to the vulnerable system. Finally, at the end popular web SQL
injection attack, and their common defenseis implemented.
Total lecture, Tutorial and Practical Hours for this course (Take 15 teaching weeks per
semester): 90
Practice
Lectures: 30 hours
Tutorials: 15 hours Lab Work: 45 hours
10. Course Outcomes (COs)
Possible usefulness of this course after its completion i.e. how this course will be practically
useful to him once it is completed
Understand the need for secure coding and follow fundamental secure coding
CO 1
guidelines.
Describe and compare software engineering practices and apply reverse engineering on
CO 2
vulnerable software.
Develop skills to find the low-level vulnerabilities in software application and exploit
CO 3
these vulnerabilities using buffer overflow attack.
CO 4
Identify the vulnerabilities of database in the web application and fix these
 SCV|7

vulnerabilities.
11. UNIT WISE DETAILS No. of Units: 4

Title: Introduction Computer Security and

Unit Number: 1 No. of hours: 5
Software Security
Content Summary:
Introduction Computer Security and Software Security, Defects & vulnerabilities, Trinity of Trouble,
Black hat and white hat hackers, Low level vulnerabilities, Security for world wide web: top 10
OWASP vulnerabilities, Penetration testing, Vulnerability cycle.
Title: Exposing Software Vulnerabilities
Unit Number: 2 No. of hours: 10
using Reverse Engineering
Content Summary:
Problems in software, Designing and building Secure Software, Applied Risk Management, Software
Security Touchpoints: seven touchpoints, Reverse Engineering and its tools (ollydbg), Reverse
Engineering through algorithm, Reverse engineering through File Manipulation
Unit Number: 3 Title: Low Level Security No. of hours: 10
Content Summary:
Buffer Overflow attack, Buffer overflow using immunity debugger, Introduction to Memory layout,
Memory attack, Heap overflow, Integer overflow, Defence against low level attacks.
Unit Number: 4 Title: Security for the web No. of hours: 5
Content Summary:
Introduction to SQL injection, Different methods of SQL injection, manual SQLi and SQL injection
countermeasures, secure code using prepared statements

12. Brief Description of Self-learning components by students (through books/resource material

etc.):

Supplementary MOOC Courses

https://www.coursera.org/specializations/secure-coding-practices
https://www.linkedin.com/learning/secure-coding-in-python

Testing methodologies
http://packetstormsecurity.nl/programming-tutorials/
http://irccrew.org/~cras/security/c-guide.html
http://www.dwheeler.com/secure-programs/
www.securecoding.org/

Best practices of secure coding in C/C++/Python/PHP

https://wiki.sei.cmu.edu/confluence/display/seccode/Top10SecureCodingPractices
http://www.isecom.org/ (formerly www.Ideahamster.org/)
https://www.classcentral.com/course/secure-coding-principles-14478

GATE/NET/other PSU Exams

https://www.sanfoundry.com/cyber-security-questions-answers-test/
https://www.sanfoundry.com/cyber-security-questions-answers-bugs-vulnerabilities/
 SCV|8

13. Advance Learning Components

Advance project and material

https://github.com/trendmicro/SecureCodingDojo
https://www.coursera.org/learn/identifying-security-vulnerabilities-c-programming

Certification courses/programs for Skill Development

https://www.infosecacademy.io/training/secure-coding.html
https://binsec-academy.com/en/courses/secure-coding-training-web/
https://www.sei.cmu.edu/education-outreach/courses/course.cfm?coursecode=V35

Motivational Project ideas (To be deployed on any Cloud Platform):

1. Caesar Cipher
2. Hash Function
3. Packet Sniffer
4. https://potatopirates.game/blogs/cybersecurity/5-cybersecurity-projects-for-beginners

14. Books Recommended :

Text Books:
1. Gray R.,"Software Security, “Building Security In", Addison-Wesley Software Security, 2nd
Edition, 2006
2. Dafydd stuttard, Marcus Pinto, “The Web Application Hacker's Handbook", Wiley Publishing,
2nd Edition, 2011
Reference Books:
1. Kenneth van Wyk, Mark Graff, “Secure Coding: Principles and Practices”, O'Reilly Media 2nd
Edition, 2003

2. Robert C. Seacord, "Secure Coding in C and C++ ", SEI Series in Software Engineering, 2nd
Edition, 2013

3. Michael Howard, David LeBlanc, "Writing Secure Code", 2nd Edition, 2003

Reference Websites: (nptel, swayam, coursera, edx, udemy, lms, official documentation
weblink)
 https://nptel.ac.in/noc/individual_course.php?id=noc19-cs29
 https://www.cybrary.it/course/cryptography/
 https://nptel.ac.in/courses/106106199/
 https://www.cybrary.it/course/secure-coding/

eBooks:
secure coding in JAVA

Interview/Placement related Commonly asked Questions:

 SCV|9

 https://medium.com/set1-interview-questions
https://www.sanfoundry.com/cyber-security-questions-answers-buffer-overflow-1/
 SCV|10

1. INTRODUCTION

That ‘learning is a continuous process’ cannot be over emphasized. The theoretical

knowledge gained during lecture sessions need to be strengthened through practical
experimentation. Thus, practical makes an integral part of a learning process.

The purpose of conducting experiments can be stated as follows:

 To familiarize the students with the basic concepts, of secure programming and the
take home laboratory assignments mainly implementation-oriented which includes
threats, mitigation and detection techniques. The lab sessions will be based on
exploring the concepts discussed in class.
 Observing Security problems in Software Programs
 Reporting and analysing the security threats and exploits in programs.
 Hands on experience on mitigation techniques
 SCV|11

1. LAB REQUIREMENTS

Requirements Details

Software Requirements Virtual Machine, Olly Dbg, Immunity Debugger

Operating System Kali Linux, Window XP, windows 10

Hardware Requirements Windows and Linux: Intel 64/32 or AMD Athlon 64/32,
or AMD Opteron processor
16 GB RAM
256 GB hard disk space

Required Bandwidth NA
 SCV|12

3. GENERAL INSTRUCTIONS

3.1 General discipline in the lab

 Students must turn up in time and contact concerned faculty for the experiment they
are supposed to perform.
 Students will not be allowed to enter late in the lab.
 Students will not leave the class till the period is over.
 Students should come prepared for their experiment.
 Experimental results should be entered in the lab report format and certified/signed
by concerned faculty/ lab Instructor.
 Students must get the connection of the hardware setup verified before switching on
the power supply.
 Students should maintain silence while performing the experiments. If any necessity
arises for discussion amongst them, they should discuss with a very low pitch
without disturbing the adjacent groups.
 Violating the above code of conduct may attract disciplinary action.
 Damaging lab equipment or removing any component from the lab may invite
penalties and strict disciplinary action.

3.2 Attendance

 Attendance in the lab class is compulsory.

 Students should not attend a different lab group/section other than the one assigned
at the beginning of the session.
 On account of illness or some family problems, if a student misses his/her lab
classes, he/she may be assigned a different group to make up the losses in
consultation with the concerned faculty / lab instructor. Or he/she may work in the
lab during spare/extra hours to complete the experiment. No attendance will be
granted for such case.

3.3 Preparation and Performance

 Students should come to the lab thoroughly prepared on the experiments they are
assigned to perform on that day. Brief introduction to each experiment with
information about self study reference is provided on LMS.
 Students must bring the lab report during each practical class with written records
of the last experiments performed complete in all respect.
Each student is required to write a complete report of the experiment he has
 performed and bring to lab class for evaluation in the next working lab. Sufficient
space in work book is provided for independent writing of theory, observation,
calculation and conclusion.
 SCV|13

 Students should follow the Zero tolerance policy for copying / plagiarism. Zero
marks will be awarded if found copied. If caught further, it will lead to disciplinary
action.
 Refer Annexure 1 for Lab Report Format
 SCV|14

1. LIST OF EXPERIMENTS

S.No. List of Experiments Software Unit CO Time

Used Covered Covered Required

1. Prepare a report on various Software 1 CO1 1 hrs

vulnerabilities Based
Report Latest Vulnerabilities
2. (i) Prepare a detailed report on Software 1 CO1 2hrs
Software Development Life Based
cycle.
(ii) Explain and compare
different SDLC models
(waterfall, Incremental, Spiral,
RAD, Iterative)
(iii) Explain Agile and
DevOps Methodology
3. Write a program in C/C++ Dev C++ 1 CO1 2 hrs
using string functions to
compare two strings
4. Find the Non-complaint codes Dev C++ 1 CO1 2 hrs
in C/C++ or Java and write the
complaint codes for the same
with its vulnerability and
mitigation
5. Prepare a report on the Software 1 CO1 4 hrs
Security Tools used for Based
Security analysis of Codes
(Static and Dynamic Tool)
6. Explain Structure of RAM and Software 1 CO1 2hrs
stack Based
Write a C code to find the size Software 1 CO1 2 hrs
of the memory varies in text, Based
data and BSS of RAM.
8. Installation of Olly Debugger. Olly 2 CO2 5hrs
Write a custom C program to Debugger
check valid purchased key for
a software.
Write a C program and find
addresses using Olly Debugger

9. Follow the process of reverse Olly 2 CO2 2 hrs

engineering to make a crack of Debugger
Power ISO
 SCV|15

10. (i) Write a program to check miraclesalad.c 2 CO2 2 hrs

whether the hash at sender and om/Kali
receivers end is same. Linux
(ii) Use HashCat and Md5sum
to check hash of document
(iii) Write different messages
by changing different
characters and by adding
spaces and find its hash using
miraclesalad.com
11. Follow the process of reverse Olly 2 CO2 2hrs
engineering using File Debugger
manipulation to make a crack
of SMAC 2.0
12. Write a program in C/C++ to Dev C++ 3 CO3 2 hrs
show problem in Buffer
Overflow
13. Write a program in C/C++ to Dev C++ 3 CO3 2 hrs
show without problem of
buffer Overflow
14. Installation of Virtual Machine Kali Linux 3 CO3 6 hrs
and Kali Linux and Perform
Attack on SLmail application.
Install the vulnerable app and
exploit on Window XP

15. Write a program in C/C++ to Dev C++ 3 CO3 2 hrs

show problem in Stack
Overflow
16. Write a program in C/C++ to Dev C++ 3 CO3 2 hrs
show without problem of
buffer Overflow
17. Write a program to solve the Dev C++ 3 CO3 2hrs
integer Overflow

18. Perform SQL injection on real Software 4 CO4 2hrs

website Based

1. LIST OF PROJECTS
 SCV|16

1. Reverse engineering on real time Software

2. Buffer Overflow attack on Pac Man

2. RUBRICS

Marks Distribution
Continuous Evaluation(50 Marks) End Semester Exam (20 Marks)
Each experiment shall be evaluated for 10 End semester practical evaluation including
marks and at the end of the semester carries 20 marks.
proportional marks shall be awarded out of
50.
Following is the breakup of 10 marks for each
4 Marks: Observation & conduct of
experiment. Teacher may ask questions about
experiment.
3 Marks: For report writing
3 Marks: For the 15 minutes quiz to be conducted
in every lab.

Annexure1

Secure Coding and Software Vulnerability

 SCV|17

(CSL 283)

Lab Practical Report

Faculty name: Student name:

Roll No.:

Semester:

Group:

Department of Computer Science and Engineering

The NorthCap University, Gurugram- 122001, India

Session 2021-2022
 INDEX
S.No Experiment Page Date of Date of Marks CO Signature
No. Experiment Submission Covere
d
 SCV|2

Experiment No. 1

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective
To familiarize the students about the secure coding Concepts

Program Outcome
 The students will understand the concepts of vulnerabilities and coding securely

Problem Statement
Prepare a report on software vulnerabilities? Types of software Vulnerabilities? Name atleast 3 Latest
Software vulnerabilities.

Background Study:

A software vulnerability is a defect in software that could allow an attacker to gain control of a
system. These defects can be because of the way the software is designed, or because of a flaw in
the way that it’s coded.

WhatCan Cause a Software Vulnerability?There are two main things that can cause a software
vulnerability. A flaw in the program’s design, such as in the login function, could introduce a
vulnerability. But, even if the design is perfect, there could still be a vulnerability if there’s a mistake
in the program source code.

Coding errors could introduce several types of vulnerabilities, which include the following:Buffer
overflows – These allow someone to put more data into an input field than what the field is supposed
to allow. An attacker can take advantage of this by placing malicious commands into the overflow
portion of the data field, which would then execute.

Questions
 SCV|3

Q1. What is secure coding?

Q2. Which phase of software development life cycle needs to be made secure?

Q3. What is Static and Dynamic analysis of code? What are the different tools
 SCV|4

Student Work Area

Algorithm/Flowchart/Code/Sample Outputs
 SCV|5

Experiment No. 2

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective
To familiarize the students about the various software models and methodology

Program Outcome
 The students will understand the Basics of Software Engineering

Problem Statement

(i) Prepare a detailed report on Software Development Life cycle.

(ii) Explain and compare different SDLC models (waterfall, Incremental, Spiral, RAD, Iterative)

(iii) Explain Agile and DevOps Methodology

Background Study:

Security is an important part of any application that encompases critical functionality. This can
be as simple as securing your database from attacks by nefarious actors or as complex as
applying fraud processing to a qualified lead before importing them into your platform.

Security applies at every phase of the software development life cycle (SDLC) and needs to be at
the forefront of your developers’ minds as they implement your software’s requirements. In this
article, we’ll explore ways to create a secure SDLC, helping you catch issues in requirements
before they manifest as security problems in production.
 SCV|6

Questions

Q1. What is the difference between SDLC and SSDLC?

Q2. Differentiate between Agile and DevOps Methodology

Q3. Does these Methodology include security?

Q4. What is a ticketing Tool? e.g., JIRA, SNOW

Student Work Area

 SCV|7

Algorithm/Flowchart/Code/Sample Outputs
 SCV|8

Experiment No:3

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective
To familiarize the students about the secure coding language.

Program Outcome
 The students will understand the how to write a secure code in C/C++

Problem Statement

Write a secure program in C/C++ using string functions to compare two strings.

Background Study:

Secure coding is the practice of developing computer software in a way that guards against the
accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently
the primary cause of commonly exploited software vulnerabilities.

Top 10 Secure Coding Practices

1. Validate input. 
2. Heed compiler warnings. 
3. Architect and design for security policies. 
4. Keep it simple. 
5. Default deny. 
6. Adhere to the principle of least privilege. 
7. Sanitize data sent to other systems. 
8. Practice defense in depth. 
9. Use effective quality assurance techniques. 
10. Adopt a secure coding standard. 
 SCV|9

E.g.

Questions

Q1. What is secure coding?

Q2. Which phase of software development life cycle needs to be made secure?

Q3. What all work has been done in direction of making the code secure?

Q4. Why do we need to secure Code?

 SCV|10

Student Work Area

Algorithm/Flowchart/Code/Sample Outputs
 SCV|11

Experiment No: 4

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective
To familiarize the students about the vulnerabilities in the software codes.

Program Outcome

 The students will understand what non-complaint codes are and how the vulnerabilities in the code
can lead to exploitation.

Problem Statement

Find the Non-complaint codes in C/C++ or Java and write the complaint codes for the same with its
vulnerability and mitigation.

Background Study:

Let us examine rule Close files when they are no longer needed. The C++ rule exists because C++
provides a technique to simplify compliance, as follows:

Consider the following noncompliant code:

 SCV|12

n this noncompliant code example, a std::fstream object file is constructed. The constructor

for std::fstream calls std::basic_filebuf<T>::open(), which leaves the file open
when std::terminate() is invoked, terminating the program without performing any cleanup.
Consequently, the underlying std::basic_filebuf<T> object maintained by the file object is not
properly closed.

In the following compliant code, std::fstream::close() is called before std::terminate() is called, ensuring

that the file resources are properly closed:

Of course, this technique is common in C, provides a simpler approach:

 SCV|13

Questions

Q1. What is Non-Complaint Code?

Q2. What are the impacts of non-complaint code?

Q3. How can non complaint code affect the Software and the company?

Q4. Which all sectors are impacted due to non-secure code?

Q5. Can we secure the code after delivery of the software?

Q6. How does it affect the cost, time and labour?

 SCV|14

Student Work Area

Algorithm/Flowchart/Code/Sample Outputs
 SCV|15

Experiment No: 5

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective
To familiarize the students about the Security Analysis Tools.

Program Outcome
 The students will understand the Static and Dynamic analysis of Software codes

Problem Statement

Prepare a report on the Security Tools used for Security analysis of Codes (Static and Dynamic
Tool).

Background Study:

Static analysis is performed in a non-runtime environment. Static application security testing

(SAST) is a testing process that looks at the application from the inside out. This test process is
performed without executing the program, but rather by examining the source code, byte code or
application binaries for signs of security vulnerabilities. In the static test process, the application
data and control paths are modeled and then analyzed for security weaknesses. Static analysis is a
test of the internal structure of the application, rather than functional testing. 

Dynamic analysis adopts the opposite approach and is executed while a program is in
operation. Dynamic application security testing (DAST) looks at the application from the outside in
— by examining it in its running state and trying to manipulate it in order to discover security
vulnerabilities. The dynamic test simulates attacks against a web application and analyzes the
application’s reactions, determining whether it is vulnerable. 

Having originated and evolved separately, static and dynamic analysis have, at times, been
 SCV|16

mistakenly viewed in opposition. There are, however, a number of strengths and weaknesses
associated with both approaches to consider.

Questions

Q1. How can you secure the code? What are the methods and techniques to secure it?

Q2. Show the latest trend of vulnerability increase till year 2020 with the help of graph?

Q3. Present different case studies of latest attacks on software due to vulnerable software

Q4. Name the tools for static and Dynamic analysis?

 SCV|17

Student Work Area

Algorithm/Flowchart/Code/Sample Outputs
 SCV|18

Experiment No: 6

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective
To familiarize the students about the Big Block of RAM.

Program Outcome
 The students will understand the memory layout of C program in block of RAM

Problem Statement
Write C codes to find the size of the memory that varies in text, data and BSS of RAM with change in
initialized and uninitialized variables of global and static variables.

Background Study:

Memory Layout of C Program in Big Block of RAM

Typical Memory representation of C program consists of following section

 Text
 Data (initialized /Uninitialized)
 Stack
 Heap
 Kernel
 SCV|19

Questions

Q1. How do you classify the memory?

Q2. Explain the memory layout?

Q3. What are initialized and uninitialized variable?

Q4. What do you understand by text, data and BSS of RAM?

Q5. What is the minimum and maximum address?

Q6. What is the difference between stack and heap?

 SCV|20

Student Work Area

Algorithm/Flowchart/Code/Sample Outputs
 SCV|21

Experiment No: 7

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective
To familiarize the students about the programming done for licensed software.

Program Outcome

 The students will understand programming done for developing a licensed version software.
 The students will understand the role of debugger

Problem Statement
 Installation of Olly Debugger
 Write a custom C program to check valid purchased key for a software.
 Write a C program and find addresses using Olly Debugger

Background Study:

Olly Debugger (OllyDbg) is a 32-bit assembler level analyzing debugger for Microsoft Windows.
Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.

Special highlights are:

 Intuitive user interface, no cryptical commands

 Code analysis - traces registers, recognizes procedures, loops, API calls, switches, tables,
constants and strings
 Directly loads and debugs DLLs
 Object file scanning - locates routines from object files and libraries
 Allows for user-defined labels, comments and function descriptions
 SCV|22

 Understands debugging information in Borland® format

 Saves patches between sessions, writes them back to executable file and updates fixups
 Open architecture - many third-party plugins are available
 No installation - no trash in registry or system directories

Questions

Q1. What is the debugger?

Q2. What is DLL? How does it provide linkage to a software?

Q3. What is assembler?

Q4. What is the difference between 32-bit and 64-bit assembler? Do they both work similarly?

Q5. What are object files and libraries?

Q6. How does OllyDbg Works?

 SCV|23

Student Work Area

Algorithm/Flowchart/Code/Sample Outputs
 SCV|24

Experiment No: 8

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective
To familiarize the students with the concept of Reverse Engineering using Algorithm Manipulation.

Program Outcome
 The students will understand the Reverse Engineering.
 The students will be able to reverse engineer any EXE to crack the licensing problem in the
software. 

Problem Statement

Perform the steps to crack licensed version of PowerISO.exe using reverse engineering

Questions

Q1. What is Reverse Engineering? What is the difference between forward engineering and Reverse
engineering?

Q2. Give examples of forward engineering and reverse engineering.

Q3. When company release the product or software, do they provide software code along with it? Why?

Q4. Which file is provided when you buy or download a software?

 SCV|25

Q5 How can you make changes if code is not provided?

Student Work Area

Algorithm/Flowchart/Code/Sample Outputs
 SCV|26

Experiment No: 9

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective
To familiarize the students with the concept of hash.

Program Outcome

 The students will be able to understand the concept of hash in C programming using various hash
algorithms. 

Problem Statement

Write different messages by changing different characters and by adding spaces and find its hash
using miraclesalad.com

Background Study:

A hash algorithm is a function that converts a data string into a numeric string output of fixed
length. The output string is generally much smaller than the original data. Hash algorithms are
designed to be collision-resistant, meaning that there is a very low probability that the same string
would be created for different data.

Two of the most common hash algorithms are the MD5 (Message-Digest algorithm 5) and the
SHA-1 (Secure Hash Algorithm). MD5 Message Digest checksums are commonly used to validate
 SCV|27

data integrity when digital files are transferred or stored.

Questions

Q1. What do youunderstand by the concept of hash?

Q2. What is the difference between hash of two different words?

Q3. What is the different algorithm for hash technique?

Q4. What is the difference between Hash and Encryption?

Q5. What type of the data can be converted in digest?

Q6. How can we identify what type of hashing technique has been applied on the digest by just seeing it?
 SCV|28

Student Work Area

Algorithm/Flowchart/Code/Sample Outputs
 SCV|29

Experiment No: 10

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective
To familiarize the students with the concept of Reverse Engineering via File Manipulation for different
software.

Program Outcome

 The students will be able to reverse engineer a software which are hash protected. 

Problem Statement

Follow the process of reverse engineering using File manipulation to make a crack of SMAC 2.0

Questions

Q1. What is Reverse Engineering via File Manipulation

 SCV|30

Q2. What is the difference between two techniques?

Q3. Should the key be stored in the code?

Q4. Should license Key should be stored in encrypted form in the code?

Q5. What techniques should be applied to make a software secure?

Student Work Area

Algorithm/Flowchart/Code/Sample Outputs
 SCV|31

Experiment No: 11

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective
To familiarize the students the concept of Low Level-Buffer Overflow vulnerabilities in Code

Program Outcome

 The students will be able identify the Buffer Overflow vulnerability of the software code.

Problem Statement

Write a program in C/C++ to show problem in Buffer Overflow

Background Study:

A buffer is a temporary area for data storage. When more data (than was originally allocated to be
stored) gets placed by a program or system process, the extra data overflows. It causes some of that
 SCV|32

data to leak out into other buffers, which can corrupt or overwrite whatever data they were holding.
 SCV|33

Student Work Area

Algorithm/Flowchart/Code/Sample Outputs
 SCV|34

Experiment No: 12

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective
To familiarize the students the concept of Low Level-Buffer Overflow vulnerabilities in Code

Program Outcome

 The students will be able secure the Buffer Overflow vulnerability in a software code

Problem Statement

Write a program in C/C++ to show without problem of buffer Overflow

Background Study:

Attacker would use a buffer-overflow exploit to take advantage of a program that is waiting on a
user’s input.
 SCV|35

Questions
 SCV|36

Q1. How can the vulnerability be removed from C code?

Q2. What are the tools that can be used to remove this type of vulnerability?

Q3. How will the output vary for non-complaint and complaint code?

Q4. Why is this Vulnerability called low level Vulnerability?

 SCV|37

Student Work Area

Algorithm/Flowchart/Code/Sample Outputs
 SCV|38

Experiment No: 13

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective
To familiarize the students the concept of buffer Overflow

Program Outcome

 The students will be able to exploit the vulnerability of the software using debugger and Metasploit

Problem Statement

Exploit the vulnerability in the software application using immunity debugger and Metasploit

Background Study:

A buffer is a temporary area for data storage. When more data (than was originally allocated to be
stored) gets placed by a program or system process, the extra data overflows. It causes some of that
data to leak out into other buffers, which can corrupt or overwrite whatever data they were holding.
In a buffer-overflow attack, the extra data sometimes holds specific instructions for actions
intended by a hacker or malicious user; for example, the data could trigger a response that damages
files, changes data or unveils private information.
Attacker would use a buffer-overflow exploit to take advantage of a program that is waiting on a
user’s input. There are two types of buffer overflows: stack-based and heap-based. Heap-based,
which are difficult to execute and the least common of the two, attack an application by flooding
the memory space reserved for a program. Stack-based buffer overflows, which are more common
among attackers, exploit applications and programs by using what is known as a stack: memory
space used to store user input.
 SCV|39

Questions

Q1. What is immunity debugger?

Q2. What is buffer-overflow attack?

Q3. What is stack-based and heap-based?

Q4. Why is Metasploit is used? What is the purpose of Metasploit?

Q5. What are the other tools that are used in exploitation in buffer overflow?

Q6. What are the steps of exploitation?

 SCV|40

Student Work Area

Algorithm/Flowchart/Code/Sample Outputs
 SCV|41

Experiment No: 14

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective
To familiarize the students the concept of Low Level-Stack Overflow vulnerabilities in Code

Program Outcome

 The students will be able identify the Stack Overflow vulnerability in a software code

Problem Statement

Write a program in C/C++ to show problem in Stack Overflow

Background Study:

A stack overflow is an undesirable condition in which a particular computer program tries to use
more memory space than the call stack has available. In programming, the call stack is a buffer
that stores requests that need to be handled
 SCV|42

Questions

Q1. What is Stack Overflow Vulnerability?

Q2. How can you detect vulnerability of Stack Overflow in Code?

Q3. How does this vulnerability can be exploited?

Q4. What are the methods to patch this vulnerability?

 SCV|43

Q5. Does this vulnerability still exist?

Q6. Is it Language dependent vulnerability?

 SCV|44

Student Work Area

Algorithm/Flowchart/Code/Sample Outputs
 SCV|45

Experiment No: 15

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective
To familiarize the students the concept of Low Level-Stack Overflow vulnerabilities in Code

Program Outcome

 The students will be able secure the Stack Overflow vulnerability in a software code.

Problem Statement

Write a program in C/C++ to show without problem of Stack Overflow.

Background Study:

Stack is a special region of our process’s memory which is used to store local variables used
inside the function, parameters passed through a function and their return addresses. Whenever a
new local variable is declared it is pushed onto the stack. All the variables associated with a
function are deleted and memory they use is freed up, after the function finishes running. The
user does not have any need to free up stack space manually. Stack is Last-In-First-Out data
structure.
 SCV|46

Questions

Q1. Explain the working of stack using a sample C code.

Q2. Explain buffer overflow using a sample C code and show how overflow of stack will happen.
 SCV|47

Student Work Area

Algorithm/Flowchart/Code/Sample Outputs
 SCV|48

Experiment No: 15

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective
To familiarize the students with the concept of Low Level-Integer Overflow vulnerabilities in Code

Program Outcome

 The students will be able secure the Integer Overflow vulnerability in a software code.

Problem Statement

Write a program to solve the integer Overflow

Background Study:

Integer overflow vulnerabilities are caused when a value is moved into a variable type too small
to hold it. One example is downcasting from a long (which has eight bytes allocated to it) to an
int (which uses two or four bytes). This is accomplished by cutting the value down to a small
enough size that it fits in the smaller value. If any of the bits that are dropped are non-zero, then
the value suddenly becomes a lot smaller.

Integer overflows can also occur when typecasting from an unsigned to a signed variable type.
Both a signed and an unsigned short are stored in two bytes, but the most significant bit of a
signed short indicates whether it is positive or negative. An unsafe cast from unsigned to signed
of a value with a one in the most significant bit changes it from a large positive number to a
negative one.
 SCV|49

Questions
 SCV|50

Q1. Write a code for Integer Overflow then some questions on that same code including unsigned

int and signed int (according to the code as I had written a simple code which does the addition

of INT_MAX value to overflow it). They even modified the code a bit then asked me the overflowed

value in the case of integer overflow like for example: UINT_MAX + 2 = ?? like that.

Q2. Difference between structure and union and calculate the size of the structure and union in

below code snippet:

// structurestruct example1 {
int a;
unsigned int b;
unsigned int c;
};// unionunion example2 {
int a;
unsigned int b;
unsigned int c;
};

Q3. What is Integer Overflow Vulnerability?

Q4. How can you detect vulnerability of Integer Overflow in Code?

Q5. How does this vulnerability can be exploited?

Q6. What are the methods to patch this vulnerability?

Q7. Does this vulnerability still exist?

Q8. Is it Language dependent vulnerability?

 SCV|51

Student Work
Algorithm/Flowchart/Code/Sample Outputs
 SCV|52

Experiment No: 17

Student Name and Roll Number:

Semester /Section:
Link to Code:
Date:
Faculty Signature:
Remarks:

Objective

To familiarize the students with the concept of SQL injection.

Program Outcome

 The students will be able secure the website from SQL injection.

Problem Statement

Perform SQL injection-based query on any real website

(i) Perform different methods to find the vulnerable php website
(ii) Find number of columns in the application
(iii) Find the name of the database, version and user
(iv) Find the all the tables in database
(v) Find the column names/ attributes
(vi) Find the values in the columns (username n password)

Background Study:

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries
that an application makes to its database. It generally allows an attacker to view data that they are
not normally able to retrieve. This might include data belonging to other users, or any other data
that the application itself is able to access. In many cases, an attacker can modify or delete this data,
causing persistent changes to the application's content or behavior.

In some situations, an attacker can escalate an SQL injection attack to compromise the underlying
server or other back-end infrastructure, or perform a denial-of-service attack.

A successful SQL injection attack can result in unauthorized access to sensitive data, such as
passwords, credit card details, or personal user information. Many high-profile data breaches in
recent years have been the result of SQL injection attacks, leading to reputational damage and
regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's
systems, leading to a long-term compromise that can go unnoticed for an extended period.
 SCV|53

Questions

Q1.What is Blind SQL Injection?

Q2. How do we prevent SQL Injection in our applications?

Algorithm/Flowchart/Code/Sample Outputs
 SCV|54

Secure Coding and Software Vulnerability

CSL283

Faculty name: Student name:

Roll No.:

Semester:

Group:

Department of Computer Science and Engineering

The NorthCap University, Gurugram- 122001, India
Session 2021-2022
 SCV|55

Table of Contents
S.No Page
No.
1. Project Description

2. Problem Statement

3. Analysis

3.1 Hardware Requirements

3.2 Software Requirements

4. Design

4.1 Data/Input Output Description:

4.2 Algorithmic Approach / Algorithm / DFD / ER

diagram/Program Steps

5. Implementation and Testing (stage/module

wise)

6. Output (Screenshots)

7. Conclusion and Future Scope