Webzeel Services

surat

An internship report submitted to

UKA TARSADIA UNIVERSITY

Pre-Final Year Student of

Bachelor of Technology
in
Computer Engineering

By
Mangukiya Zeelkumar Maheshbhai
Enrolment No:202103103510419

Guided by
Mr. Punit korat(CEO)
Designation

Department of Computer Engineering

Chhotubhai Gopalbhai Patel Institute of Technology
Bardoli, Surat, Gujarat
November, 2024
 Company Profile

• Vision: To be a globally recognized leader in digital solutions and cybersecurity,

driving innovation, efficiency, and growth for businesses by combining the power
of technology and creativity.

• Mission: Our mission is to empower businesses by delivering cutting-edge

technology solutions that enhance efficiency, improve security, and drive growth.
We strive to build lasting partnerships with our clients through innovative design,
reliable service, and a customer-first approach, ensuring that our solutions not only
meet but exceed their business needs.

• Achievements: specializing in custom software development, website design, app

development, digital marketing, and Google Workspace automation. The
company’s focus on customer satisfaction and cutting-edge technology has earned
it industry recognition and a top spot on Clutch.

• No of Employees: 26

• Technologies:

1. Web Development: HTML5, CSS3, JavaScript, React.js, Node.js

2. App Development: Flutter, React Native, Android, iOS
3. Automation: Google Workspace Automation, AI/ML Integration
4. Cybersecurity: Penetration Testing, Network Security, Encryption, Incident
Response

• Address: 4030, Central Bazzar, Varachha Main Rd, Surat, Gujarat 395006

• Starting Year:2015
 About Internship Area

Domain Information Security

Starting Date Ending Date

Duration of
Internship
6/5/2024 6/7/2024

Mode of Internship Offline

(Online/Offline)

Live Project NO
(Yes/No)

Working in Individual
Team/Individual
 Learning Outcome

Week 1&2 Learning

• DMARC
1. DMARC (Domain-based Message Authentication, Reporting, and
Conformance) is an email authentication protocol designed to give domain
owners control over how their emails are authenticated and protected
against fraudulent use, such as phishing and email spoofing.

2. Define how emails from their domain should be authenticated (using SPF
and DKIM)

3. Instruct receiving mail servers on how to handle unauthenticated emails

(reject, quarantine, or allow).

4. Generate reports on failed authentication attempts, helping organizations

monitor potential abuse of their domains.

• HOW TO SET DMARC

1. Set up SPF and DKIM: Ensure your domain has proper SPF and DKIM
records.
2. Create a DMARC Record: This is a TXT record added to your DNS
that defines your DMARC policy.
3. Monitor with ‘none’ Policy: Start by setting the policy to ‘none’ to
monitor mail flow without taking action.
4. Analyze Reports: DMARC generates XML reports that can be analyzed
to identify spoofing attempts and authentication failures.
5. Gradually Move to ‘quarantine’ or ‘reject’: Based on the reports,
tighten your policy by moving to ‘quarantine’ or ‘reject’ to fully protect
your domain.
• Benefits of DMARC

1 Protection against Phishing: Blocks unauthorized emails from being

sent using your domain.
2 Enhanced Security: Works alongside SPF and DKIM to create a robust
email security system.
3 Visibility and Control: Allows you to track and manage email
authentication, gaining better visibility over email flows.
• Screenshorts
Week 3&4 Learning

• XML-RPC Vulnerability Identification

1 Vulnerabilities in XML-RPC can expose systems to multiple attack

vectors, including:
2 Brute Force Attacks: Hackers can use XML-RPC to perform unlimited
login attempts.
3 Denial of Service (DoS): Attackers can overwhelm the server by sending
repeated pingback requests.
4 Pingback Abuse: Exploits can use XML-RPC for DDoS amplification
attacks via pingbacks

• Mitigation Strategies

1. Disable XML-RPC if not needed on the platform.

2. Use rate limiting to prevent brute force attacks.
3. Implement pingback restrictions to prevent DDoS via XML-RPC.

• Steps Taken to Identify Vulnerabilities

1. Reconnaissance: Used Nmap and WPScan to identify active XML-RPC

services on target sites.
2. Testing: Ran brute-force login attempts using Metasploit to test if XML-RPC
allowed multiple login requests.
3. DDoS Simulation: Tested pingback abuse by triggering multiple pingback
requests to overwhelm the target.
4. Report Findings: Documented identified vulnerabilities and proposed
mitigation strategies.

• Tools Used for Vulnerability Scanning

1. Nmap: For identifying open ports and services using XML-RPC.

2. Metasploit: For testing XML-RPC-related vulnerabilities on WordPress.
3. WPScan: WordPress-specific tool for scanning known XML-RPC
vulnerabilities.
4. • Burp Suite: Intercepted and tested requests using the XML-RPC protocol.
 • Screenshorts

Solution:
Open up your .htaccess file. You may have to turn on the ‘show hidden files’ within
file manager or your FTP client to locate this file.Inside your .htaccess file, paste the
following code:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>
Week 5&6 Learning

• XSS Vulnerabilities in Input Fields

1. XSS is a security vulnerability that allows attackers to inject

malicious scripts into web pages viewed by other users.
2. Commonly occurs when user inputs are not properly sanitized.
3. Impact Can lead to data theft, session hijacking, phishing attacks,
and more

• Types of XSS Vulnerabilities

1. Stored XSS: The malicious script is permanently stored on the target

server (e.g., in a database).
2. Reflected XSS: The injected script is reflected off a web server, such
as in a search query result or error message.
3. DOM-based XSS: The vulnerability exists in the client-side JavaScript
code rather than the server-side.

• Mitigation Strategies

1. Input Validation: Always validate and sanitize user input on both

server and client-side.
2. Output Encoding: Encode user data before rendering it in the browser
to prevent script execution.
3. Use Content Security Policy (CSP): Add a layer of protection to
block potentially harmful script execution.
4. Regular Testing: Continuously test for XSS vulnerabilities using
automated tools and manual inspection.

• Tools Used for XSS Testing

1. Burp Suite: For intercepting and modifying requests to test input

fields for XSS vulnerabilities.
2. OWASP ZAP: Automated vulnerability scanning tool to detect XSS
issues.
3. Browser Developer Tools: Used to test and validate whether input
sanitization was being bypassed.
4. XSSer: Specialized tool for finding XSS vulnerabilities.
1. "><script>alert(1)</script>
2. <img src=x onerror=alert(1)>
3. <svg/onload=alert(1)>
4. "><svg onload=alert(document.cookie)>
• Screenshorts
Week 7&8 Learning

• Burp Suite, Nmap, WPScan

1. I enhanced my technical skills in using tools like Burp Suite, Nmap,
WPScan, and OWASP ZAP to perform vulnerability scans, test exploits,
and provide security recommendations.
2. Overall, this internship enriched my knowledge in cybersecurity,
especially in web application security, and allowed me to apply these
skills in real-world scenarios.

• Burp Suite

1. Purpose: A comprehensive web vulnerability scanner used for security

testing of web applications.
2. Key Features:

• Intercepts HTTP/S traffic to test how data is handled by web

applications.
• Allows for manual testing and automated scanning of web
vulnerabilities.
• Commonly used for XSS, SQL Injection, and authentication
testing.

• Nmap

1. Purpose: A network scanning tool used for network discovery and

security auditing.
2. Key Features:

• Port scanning to discover open ports and services on a

network.
• Useful for identifying services that may have vulnerabilities,
such as XML-RPC endpoints.
• Can be used to perform OS detection, version detection, and
vulnerability scans.

• WPScan

1. Purpose: A WordPress security scanner specifically designed to find

vulnerabilities in WordPress websites.
2. Key Features:
• Detects WordPress-specific vulnerabilities, such as outdated
plugins, themes, and XML-RPC vulnerabilities.
• Useful for enumerating usernames, plugins, themes, and other
WordPress-specific elements.
• Screenshorts
• wpscan

• nmap
 Conclusion

• During my internship at Webzeel, I gained practical experience in

identifying and mitigating security vulnerabilities like XML-RPC and
XSS (Cross-Site Scripting).

• Through the 3rd and 4th week, I learned how attackers could exploit
XML-RPC vulnerabilities to launch brute force, DoS, and DDoS
attacks, and how to implement effective mitigation strategies.

• In the 5th and 6th week, I focused on identifying XSS vulnerabilities in

input fields and learned about the risks posed by unsanitized inputs and
improper encoding.

• I enhanced my technical skills in using tools like Burp Suite, Nmap,

WPScan, and OWASP ZAP to perform vulnerability scans, test
exploits, and provide security recommendations.