Course: CYB302

Ethical Hacking
(Canadian Context)

Lab 9: Exploiting Application Vulnerabilities

using ZAP, XSS and URL manipulation

Coordinator & Instructor:

Muhammad Siddiqui

Name: Shivani Thakor

Student Id: 21018473
1
2
Activity 1: Using the ZAP Proxy
In this exercise, you will install the ZAP interception proxy on your system and use it
to intercept and modify a request before it is sent to a website.

1. Visit the OWASP ZAP project homepage at

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project .
2. Download and install the version of ZAP appropriate for your operating system.
3. Review the OWASP ZAP Getting Started Guide at
https://github.com/zaproxy/zaproxy/releases/download/2.6.0/ZAPGettingStarte
dGuide-2.6.pdf .
4. Use ZAP to intercept a request sent from your browser to a search engine.
Using ZAP, modify the request to change the search term sent to the remote
site. Take the screen shot.
5. View the results.
Q1: Did your browser display the results for the term that you typed into the
browser, or did it display the results for the search term that you changed using
ZAP?
Activity 2: Creating a Cross-Site Scripting Vulnerability
In this activity, you will create a cross-site scripting vulnerability using an HTML page
saved on your local computer.

1. Using a text editor of your choice, create an HTML file containing some simple
content of your choice. For example, you might want to model your code after
the following sample page:

<p>Hello everyone,</p>
<p>I am planning an upcoming trip to <A HREF=
'https://www.mlb.com/mets/ballpark'>Citi Field</A> to see the Mets take
on the Yankees in the Subway Series.</p>
<p>Does anyone have suggestions for transportation? I am staying in
Manhattan and am only interested in <B>public transportation</B>
options.</p>
<p>Thanks!</p>
<p>Mike</p>

2. Open the file stored on your local computer and view it using your favorite
browser.
3. In your text editor, modify the file that you created in step 1 to include a cross-
site scripting attack. You may wish to refer to the example in the section
“Cross-Site Scripting (XSS)” did earlier, if you need assistance.

3
 <p>Hello everyone,</p>
<p>I am planning an upcoming trip to <A HREF=
'https://www.mlb.com/mets/ballpark'>Citi Field</A> to see the Mets take
on the Yankees in the Subway Series.</p>
<p>Does anyone have suggestions for transportation? I am staying in
Manhattan and am only interested in <B>public transportation</B>
options.</p>
<p>Thanks!</p>
<p>Mike</p>
<SCRIPT>alert('YourStudentID')</SCRIPT>
(You must change the last line to another line or lines of HTML code to include
a cross site scripting attack.) Take the screen shot of the modified code.
4. After saving the modified file, refresh the page in your browser. Take the
screen shot.

4
 Q2: Did you see the impact of your cross-site scripting attack?
Activtiy#3: Exploiting Insecure Direct Object Reference (URL Manipulation)
First, we need to setup the lab. environment by creating a LAMP Server in Kali:
 Start Kali vm in VMWare or VirtualBox.
 Make sure Apache webserver is installed, it should be by default, so try to
start it, if the service is not found then use apt-get to install it.
systemctl start apache2
The standard password is set as: kali
(If you have changed Kali’s password previously, then use that one.)
 After starting Apache, check the status to make sure it is up and running.
systemctl status apache2
 Open a web browser and go to the “localhost” address to make sure the
website is up and running, it should show the default Apache2 Debian
page.
 Now that Apache is installed and running, make sure that mysql is installed.
Try to start the mysql service, if it is not found, install it with apt-get.
systemctl start mysql
The standard password is set as: kali
 Check the status of mysql to make sure it is running.
systemctl status mysql
 Now that mysql is up and running, we have to setup the database. Login to
mysql as the root user.
sudo mysql --user=root –password
 Create the database, let’s call it CYB302. NOTE the capital, it is important

5
 to make sure it is capitalized because the PHP files that connect to the
database is case-sensitive. Also make sure to use the semi-colon ; to end
the statement
CREATE DATABASE CYB302;
 Verify that the database was created correctly by using the show databases
command.
SHOW DATABASES;
 Now we have to create a user for accessing the database and setup the
user’s privileges. The username is “mohamed” and the password is “S!
d@q!##”. Copy and paste this command, it is actually several commands
linked together by statement terminating semi-colons ; make sure they all
respond with Query OK. Don’t change anything in the below commands at
all.
CREATE USER 'mohamed'@'%' IDENTIFIED BY 'S!d@q!##';GRANT
SELECT ON *.* TO 'mohamed'@'%';ALTER USER 'mohamed'@'%'
REQUIRE NONE WITH MAX_QUERIES_PER_HOUR 0
MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0
MAX_USER_CONNECTIONS 0;GRANT ALL PRIVILEGES ON
`mohamed`.* TO 'mohamed'@'%';
 Now create the tables. First select the database.
USE CYB302;
 Now make two tables, a students table that holds first and last name of
students, and a users table that holds users usernames and passwords.
CREATE TABLE students(id int, frstname varchar(255), lstname
varchar(255), contact int, PRIMARY KEY ( id ) );

CREATE TABLE users(id int, usrname varchar(255), pssword

varchar(255), hint varchar(255), PRIMARY KEY ( id ) );
 Finally verify the tables were created correctly by display the tables.
SHOW TABLES; (Take the screen shot)

6
 Insert some data into the “students” table and the “users” table. Feel free to
change the values to other names, usernames, and passwords.

INSERT INTO `students` (`id`, `frstname`, `lstname`, `contact`) VALUES

('501', 'Manmeet', 'Singh', '124052'), ('502', 'Helly', 'Patel', '335250'),
('503', 'Shakir', 'Bagiya', '203190');

INSERT INTO `users` (`id`, `usrname`, `pssword`, `hint`) VALUES

('501', 'msingh', '*_cb&S27@@1', 'Cybersecurity'), ('502', 'hpatel',
'9enT@t_#', 'Pentest'), ('503', 'sbagiya', '9@me0fTh0rne#', 'Game');

 Read back the data from the tables to make sure that it was inserted
correctly.
SELECT * from students;

7
 SELECT * from users;
(Take the screen shot showing output of both above-mentioned
commands)

 Finally, exit out of the mysql command terminal.

exit

8
  Download the following two PHP files form.php and doit.php

 Open a terminal and change directory to your Downloads directory. Make

sure that the two files are there in the downloads directory by using the ls
command.
 Make a new directory called “cyb” in the webserver root directory with the
following command:
sudo mkdir /var/www/html/cyb
Note that the /var/www/html directory is the default webserver root directory
for apache, also make sure you use sudo with the mkdir command
because this directory is owned by root and regular users will not have
permission to make new directories.
 Finally, move the two PHP files from the current directory to the cyb
directory in the webserver root with the following command:
sudo mv doit.php form.php /var/www/html/cyb
Note once again that you must use sudo since the directory is owned by
the root user.
 Restart the Apache webserver
systemctl restart apache2
Now visit the address “localhost/cyb/form.php” in your web browser, you
should see the form page.

URL Manipulation:
URL manipulation is a starting point with SQL injection that allows you to change the
variables that websites use to communicate between the back and front end.

 Navigate to the site “http://localhost/cyb/form.php” and enter the number

501 in the ID field, click submit. Take the screen shot.
Notice how the resulting PHP code returns a page that lists the record
associated with ID number 501.

9
 Modify the URL to show you the record associated with the following ID
numbers:
o 502 (Take the screen shot)

10
o 503 (Take the screen shot)

o 505 (Take the screen shot)

11
12