INTERNSHIP-THE RED USERS

CYBERSECURITY INTERNSHIP TASK DOCUMENTATION

Detailed Report for Task 2: Introduction to Web Application Security

1. Introduction

This report details the process and findings of analyzing a web application for common security
vulnerabilities. Using OWASP ZAP and metasploitable 2 (an intentionally insecure web
application), the analysis focused on understanding vulnerabilities like SQL Injection, Cross-
Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). This experience highlighted
real-world security challenges and how attackers can exploit these vulnerabilities, with an
emphasis on mitigation strategies.

2. Task Overview

Objective
The goal of this task was to learn about web application security by detecting, exploiting, and
documenting vulnerabilities. This practical approach aids in comprehending the impact of these
vulnerabilities and preparing for mitigating such issues in real-world applications.

Required Skills

• Basic Web Security

• Vulnerability Identification

Tools

• OWASP ZAP: For scanning and identifying vulnerabilities in web applications.

• metasploitable 2: A web application used to simulate security vulnerabilities.

3. Step-by-Step Process

1. Setup
• Objective: Set up the testing environment on a secure, controlled system.
Process:

1. Install Metasploitable 2: Download and install Metasploitable 2 as a virtual machine in

VirtualBox or VMware, ensuring the VM is isolated by setting the network adapter to
“Host-only” or another secure configuration.

2. Verify Access: Start Metasploitable 2 and verify that it is running and accessible for
security testing.
2. Perform Basic Vulnerability Analysis

• Objective: Detect vulnerabilities using OWASP ZAP.

• Process:
1. Launch OWASP ZAP: Started ZAP and set up a proxy to intercept and analyze
traffic between the browser and Metasploitable 2.

2. Run a Full Scan: Scanned Metasploitable 2 to detect SQL Injection, XSS, and
CSRF vulnerabilities. ZAP provided detailed reports, highlighting specific areas
for each vulnerability.

• Output: Identified instances of SQL Injection, XSS, and CSRF vulnerabilities.

3. Explore Vulnerabilities

• Objective: Understand each vulnerability’s impact by manually testing them.

• Process:

1. SQL Injection:
▪ Challenge: Finding a vulnerable input field and crafting SQL statements.
▪ Solution: Located an input form (login) and tested SQL Injection using '
OR '1'='1.

▪ Outcome: Successfully bypassed authentication, confirming SQL

Injection vulnerability.
2. Cross-Site Scripting (XSS):

▪ Challenge: Finding a field that reflected input data on the screen.

▪ Solution: Inserted JavaScript code (<script>alert("XSS")</script>) into

the comments section.

▪ Outcome: The code executed, validating the XSS vulnerability.

3. Cross-Site Request Forgery (CSRF):

▪ Challenge: Crafting a malicious request and determining if the application

lacked CSRF protection.

▪ Solution: Used ZAP’s CSRF scanner to confirm the absence of CSRF

tokens.

▪ Outcome: Discovered that unauthorized actions could be triggered,

revealing a CSRF vulnerability.
 • Output: Screenshots of successful exploitation attempts and confirmation of
vulnerabilities in each category.

4. Report

• Objective: Document findings, challenges, and recommendations.

 • Process:

1. Summarize Each Vulnerability:

▪ SQL Injection: Allowed database manipulation through unauthorized

SQL commands.

▪ XSS: Enabled script injection, which could compromise session data and
user information.

▪ CSRF: Allowed unauthorized actions without CSRF token protection.

2. Challenges Faced and How They Were Overcome:

▪ Challenge: Initially, identifying specific fields vulnerable to each type of

attack required testing and adjustments.

▪ Solution: Researched common injection points and consulted OWASP

ZAP documentation, which improved the accuracy of vulnerability
identification.

3. Mitigation Recommendations:

▪ SQL Injection: Recommend using parameterized queries and input

validation.

▪ XSS: Suggest implementing input sanitization and output encoding.

▪ CSRF: Advise using anti-CSRF tokens for all state-changing requests.

• Output: A detailed report summarizing each vulnerability, exploitation steps, and

suggested mitigations, along with screenshots of each successful exploitation attempt.

5. Results and Outcomes

• Results:

o Successfully identified and exploited SQL Injection, XSS, and CSRF

vulnerabilities.

o Gained hands-on experience with OWASP ZAP and Metasploitable 2, developing

skills in vulnerability identification and exploitation.

• Outcomes:

o This task strengthened my understanding of common web security flaws and

demonstrated the importance of secure coding practices.
 o Prepared a comprehensive report to document findings, challenges, and
recommendations, offering insights for preventing similar vulnerabilities in future
applications.

6. Conclusion

My internship has been an incredibly enriching experience. I delved deep into the world of cyber
security, gaining hands-
on experience with tools like OWASP ZAP and Wireshark. This practical exposure allowed me t
o understand and mitigate real-world security threats, from SQL Injection to Cross-
Site Scripting (XSS).

Professionally, this internship has helped me grow by enhancing my technical skills and reinforci
ng the importance of continuous learning and adaptation in the ever-
evolving field of cybersecurity. The challenges I faced and the projects I worked on have sharpen
ed my problem-solving abilities and my analytical thinking.

For future interns, I recommend diving into every task with curiosity and enthusiasm. Engage act
ively with your mentors and peers, seek feedback, and never hesitate to explore beyond the scope
of your assignments. This proactive approach will not only expand your knowledge but also hel
p you build a strong professional network.