CENTRE FOR DEVELOPMENT OF ADVANCED

COMPUTING (C-DAC),
THIRUVANANTHAPURAM, KERALA

A PROJECT REPORT ON

“A Comprehensive Security Audit on ktu.edu.in”

SUBMITTED TOWARDS THE

PG-DCSF March 2023

BY
Group Number - 01

Aditya Vijay Gandhe PRN: 230360940001

Ajinkya Ramling Andhare PRN: 230360940002
Amandeep Midhas PRN: 230360940003
Anju Susan Simon PRN: 230360940004
Anup Joseph George PRN: 230360940005
Vipin Khanna PRN: 230360940046

Under The Guidance Of

Mr. Jayaram P. Mr. Hiron Bose
Centre Co- Ordinator Project Guide

1
 TABLE OF CONTENTS

Contents Page No.

Abstract…………………………………………………………………………… 3

Introduction……………………………………………………………………….. 4

Literature Survey………………………………………………………………….. 5

Scope and Objectives……………………………………………………………… 6

Methodology………………………………………………………………………. 7
a. Phases of security auditing………………………………………………….. 8
b. Tools………………………………………………………………………… 9

Result………………………………………………………………………………. 23

Conclusion………………………………………………………………………….. 38

References…………………………………………………………………………... 39

2
 ABSTRACT

A security audit is a systematic and comprehensive examination of an organization's

information systems, technology infrastructure, processes, and policies to assess the
effectiveness of security measures, identify vulnerabilities, and ensure compliance with
security best practices and standards. The primary objective of a cybersecurity audit is to
evaluate the organization's ability to protect its digital assets, sensitive information, and
technology resources from cyber threats and attacks. The goal of this project is to identify
vulnerabilities in a web application, in order to provide recommendations for improving
security. The project will involve DNS reconnaissance and mapping of the target application,
identification of potential vulnerabilities through manual testing following the OWASP Top 10
and using more than 8 well known automated tools like the Nessus so that we don’t miss on
the important vulnerabilities
The project aims to assess the security posture of the web application, identify potential attack
vectors, analyze the scope of the vulnerabilities and their impact, and develop a remediation
plan to address the identified security issues. The project also involves an actionable set of
security recommendations to ensure the secure operation of the web applications

Keywords: Security Auditing, Web Application Security, Vulnerabilities, D N S

Reconnaissance, OWASP Top 10.

3
 INTRODUCTION

In an ever-evolving landscape of technological advancements and digital transformation,

ensuring the security and integrity of systems, networks, and data has become paramount. As
organizations increasingly rely on digital infrastructure to operate, communicate, and store
sensitive information, the potential risks and vulnerabilities also escalate. A proactive approach
to identifying, mitigating, and managing these risks is essential to safeguarding an organization's
assets, reputation, and stakeholder trust.

This Security Audit Project Report delves into the comprehensive assessment conducted to
evaluate the security posture of APJ Abdul Kalam Technological University (KTU)'s digital
ecosystem. The primary objective of this security audit was to systematically examine the
effectiveness of existing security measures, policies, and practices, and to recommend
improvements that align with industry best practices and regulatory requirements. By performing
a thorough analysis of the organization's information technology infrastructure, data handling
procedures, and access controls, this audit aims to provide actionable insights for enhancing the
organization's overall security framework.

The report is structured to provide a clear understanding of the audit scope, methodology
employed, findings uncovered, and subsequent recommendations. Additionally, it underscores
the importance of a security-centric mind-set within the organization's culture and emphasizes
the significance of continuous monitoring and adaptation to counter the ever-changing threat
landscape.

In the subsequent sections, we will explore the key aspects of the security audit, highlighting its
significance in the context of modern-day cyber threats and underscoring the collaborative efforts
undertaken by the audit team to ensure the confidentiality, integrity, and availability of APJ
Abdul Kalam Technological University (KTU)'s critical assets.

4
 LITERATURE SURVEY

The OWASP Top 10 is a well-known list of the top 10 most critical security risks commonly
found in web applications. Including these in your Security Audit Project Report helps to
highlight key vulnerabilities that should be addressed. As of my last update in September 2021,
here's the OWASP Top 10 list:
OWASP Top 10 Security Risks - 2021
1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failure
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-Side Request Forgery

Figc1.1: OWASP Top 10 (2017 Vs 2021)

Reference Link: https://www.synopsys.com/glossary/what-is-owasp-top-10.html

5
 SCOPE AND OBJECTIVES

The scope of the project involves a comprehensive evaluation of its digital infrastructure,
applications, and data protection mechanisms. The primary focus will be on identifying
vulnerabilities, weaknesses, and potential threats that could compromise the confidentiality,
integrity, and availability of resources of the website. The security audit will cover both
technical and operational aspects, including the assessment of software, network architecture,
user access controls, and adherence to relevant security standards and best practices. The
security audit will be done both manually and automatically using latest and legitimate tools
available.
The project will also extend to evaluating user authentication mechanisms, encryption
practices, and incident response procedures. The audit will primarily concentrate on online
security, as the project is done completely online.
The main objective of the project is to identify the vulnerabilities by Conducting a thorough
assessment of the website's infrastructure to identify potential security vulnerabilities, such as
SQL injection, cross-site scripting (XSS), file upload vulnerabilities, password policy etc.
Further we aim to provide actionable recommendations and best practices to address identified
vulnerabilities and enhance the overall security posture and reputation of the website, thereby
enhancing user trust and safeguarding user data.

6
 METHODOLOGY

The current security systems need to be tested for both substantive and compliance aspects.
Compliance testing is done to assess whether controls are being applied according to the
documentation offered by the client. It also checks if IT controls follow the compliance levels in
accordance with management procedures and policies. In substantive testing, the adequacy of the
controls is substantiated by whether they are able to protect the organization from cyber threats.
These tests need an in-depth understanding of the different kinds of threats such as unauthorized
access to assets including data, unusual interactions with the system, data corruption, inaccuracy
in information, etc. Application controls are application-specific controls and have a high impact
on individual transactions. These controls ensure and verify that all transactions are authorized,
safe, and recorded. To proceed with this phase of the audit, there is a need for a deep understanding
of the working of the system. For this analysis, a brief description of the application is required,
along with details of transactions including volume, involved data, and flowMost organizations
either use local area networks for their operations. This leads to the risk of access by unauthorized
users if not monitored and protected properly. The fundamental requirement of a network is to be
accessible by only authorized users. Controls should be implemented to eliminate issues like data
corruption, data loss, or interception while being transmitted.

IT Audit standards

The IT audit should comply with internationally accepted security standards. Some of these are
mentioned below:

 ISO Compliance: The ISO publishes a slew of guidelines that ensure reliability, quality,
and safety. ISO 27001 is suitable for information security requirements.

 PCI DSS Compliance: These standards apply to any company that is involved with
customer payments. This is necessary to ensure that all transactions are secure and
protected.

7
 Phases of Security Audit

There are 4 significant phases in a security audit:

1. Planning phase

Preliminary information gathering and assessment

Planning is an integral part of any audit. In the beginning, planning is done to create a process flow
based on an initial reconnaissance of the entire system. The plan is updated according to the test
results of the initial assessment.

2. Audit scope and objective

From the above steps, the auditor gains relevant information and details to define the objective and
scope of the audit in a clear and detailed format. The initial risk assessment forms an important part
of the process and answers questions pertaining to three primary security goals, confidentiality,
integrity, and reliability.

Risk assessment consists of ranking the potential threats from low to high, or other scientific or
complex metrics. The ranking depends on the severity of the issue with respect to the extent of
damage it can cause or the ease of exploitation. Vulnerabilities that are easy to exploit and those
causing a high degree of damage must be ranked comparatively higher.

3. Evaluating collected evidence

Through rigorous testing and prodding of the security infrastructure, various types of evidence are
gathered that must be interpreted to compile the results of the audit. There are various techniques
to test a system and obtain results. Evidence can be majorly 3 types:

 Documentary evidence
 System analysis
 Observation of processes

4. Documenting audit results

Proper documentation of the results forms an integral part of security audit methodology. The final
report should be in a very consumable format for stakeholders at all levels to understand and
interpret. It must contain details such as the audit plan, audit scope, tests carried out, findings and
detailed solutions, and next steps to remedy the security issues.

8
 Reconnaissance

Reconnaissance is the information-gathering stage of ethical hacking, where you collect

data about the target system. This data can include anything from network infrastructure
to employee contact details. The goal of reconnaissance is to identify as many potential
attack vectors as possible.

How Reconnaissance Works

Reconnaissance generally follows seven steps:
1. Collect initial information
2. Determine the network range
3. Identify active machines
4. Find access points and open ports
5. Fingerprint the operating system
6. Discover services on ports
7. Map the network

TOOLS
Following are the tools which we used to perform reconnaissance on website “ktu.edu.in” -

1) DNSdumpster

DNSdumpster is an online passive scanning tool to obtain information about domains, block
addresses, emails, and all kind of information DNS related. It is a tool to perform DNS
reconnaissance on target networks. The results include a variety of information that are useful
for users performing network reconnaissance. Some of the information return include
 Host subdomains
 Different dns informat (MX, A record)
 Geo information
 Email

It is an open source intelligence for the networks of your choice. With the help of this site or
platform, the years can identify the attack surface or potentials. You can also analyze the security
strategy related to the information of the network with the help of passive DNS reconnaissance,
and eventually get rid of the threat to security.

Since it’s a web based service we only need to navigate to their url and query our target.

9
Example -

DNSdumpster

DNSdumpster gives us information about MX records, Text records and Host records. While the
TXT Records is the section where you will be able to find all the information related to the hosts
in Sender Policy Framework (SPF) configurations, the MX Records is the area which is related
to all the emails that goes for the domain.
At the end it presents a nice relational picture that binds all records.

Example

10
2) SecurityTrails

A platform that provides data security, threat hunting, and attack surface management
solutions.

Web Application Security Testing

Automated Security Testing

Automated security testing can speed up the testing process with very little effort. Automated
security testing tools are good in findings common vulnerabilities (for example XSS, SQL
Injection) within a very short time. However, automated scanning tools provide lots of false-
positive issues that need to be verified by manual security tester.

11
 Testing a large website manually is a very tedious task for manual security tester as they have
to test one by one URL. Automation tools can help the tester to find out basic vulnerabilities
quickly and they can focus their time on findings business logic and other security issues
which tools cannot find.

Manual Security Testing

Manual security testing is performed by Pentester who uses his personal skills and experience
to find out the vulnerabilities in the application. Some categories of vulnerabilities, such as
authorization and business logic flaws, cannot be found with tools and will always require
skilled Pentester to find them. Manual security testing is a time-consuming process and
required application understanding to perform the test.
The Pentester also utilizes some tools to perform testing like customized scripts, proxy tools
etc. Unlike automated security testing, false positive issues are not found in manual security
testing.
Automation alone is not capable to ensure that an application is thoroughly tested from a
security perspective. The application that holds sensitive data required safe to host approval
from Pentester.

We have make use of the following tools to perform automatic and manual testing on the website
“ktu.edu.in” -

Nmap

Nmap is short for Network Mapper. It is an open-source Linux command-line tool that is used to
scan IP addresses and ports in a network and to detect installed applications.

Nmap allows network admins to find which devices are running on their network, discover open
ports and services, and detect vulnerabilities.

Why use Nmap?

There are a number of reasons why security pros prefer Nmap over other scanning tools.

 First, Nmap helps you to quickly map out a network without sophisticated commands or
configurations. It also supports simple commands (for example, to check if a host is up)
and complex scripting through the Nmap scripting engine.

 Ability to quickly recognize all the devices including servers, routers, switches, mobile
devices, etc on single or multiple networks.

12
  Helps identify services running on a system including web servers, DNS servers, and
other common applications. Nmap can also detect application versions with reasonable
accuracy to help detect existing vulnerabilities.

 Nmap can find information about the operating system running on devices. It can provide
detailed information like OS versions, making it easier to plan additional approaches
during penetration testing.

Example -

Result:

The Nmap tool has been used to conduct a network scan on the domain "ktu.edu.in" while
enabling OS detection (-O flag). Nmap is a versatile network scanning tool that aids in
discovering open ports, services, and potentially the operating system of target hosts.

During the scan, Nmap sends various network packets to the target host and analyzes the
responses to infer information about the underlying operating system. This is achieved by
examining unique characteristics of the network stack implementation and behavior of the
target system.

The output of the scan will include a list of open ports and services detected on the target host.
Additionally, Nmap's OS detection mechanism will attempt to provide an educated guess about
the operating system running on the host. This information is based on patterns in the responses
received from the target system.

Please note that OS detection is not always 100% accurate, as it relies on heuristics and patterns
that might be masked or altered by various factors. However, Nmap's OS detection feature can
still provide valuable insights into the likely operating system running on the scanned host.

In summary, the Nmap scan with OS detection on the domain "ktu.edu.in" aims to identify open
ports, services, and potentially the underlying operating system of the target host. The results
will aid in understanding the network infrastructure and the technology stack in use,
contributing to security assessments and network management activities.

13
 Nessus

Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities
and Exposures architecture for easy cross-linking between compliant security tools. In fact,
Nessus is one of the many vulnerability scanners used during vulnerability assessments and
penetration testing engagements, including malicious attacks. Nessus is a tool that checks
computers to find vulnerabilities that hackers could exploit.

Nessus works by testing each port on a computer, determining what service it is running, and
then testing this service to make sure there are no vulnerabilities in it that could be used by a
hacker to carry out a malicious attack.

14
Nessus can scan these vulnerabilities and exposures:

i. Vulnerabilities that could allow unauthorized control or access to sensitive data on a

system
ii. Misconfiguration (e.g. open mail relay)
iii. Denials of service (Dos) vulnerabilities
iv. Default passwords, a few common passwords, and blank/absent passwords on some
system accounts

Example -

15
 OWASP ZAP
OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security scanner.
It is intended to be used by both those new to application security as well as professional
penetration testers.
It has been one of the most active Open Web Application Security Project (OWASP) projects and
has been given Flagship status.
When used as a proxy server it allows the user to manipulate all of the traffic that passes through
it, including traffic using HTTPS.
It can also run in a daemon mode which is then controlled via a REST API.

16
 Features
Some of the built in features include:

 An intercepting proxy server,

 Traditional and AJAX Web crawlers
 An automated scanner
 A passive scanner
 Forced browsing
 A fuzzer
 WebSocket support
 Scripting languages
 Plug-n-Hack support

Example -

17
Skipfish

Skipfish is an active web application security reconnaissance tool. It prepares an interactive

sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The
resulting map is then annotated with the output from a number of active (but hopefully non-
disruptive) security checks. The final report generated by the tool is meant to serve as a
foundation for professional web application security assessments.

18
19
 Example -

Nikto

Nikto is an open source web server and web application scanner. Nikto can perform
comprehensive tests against web servers for multiple security threats, including over
potentially dangerous files/programs. Nikto can also perform checks for outdated web servers
software, and version-specific problems.

Here are some of the things that Nikto can do:

 Find SQL injection, XSS, and other common vulnerabilities

 Identify installed software (via headers, favicons, and files)

 Guess subdomains

 Includes support for SSL (HTTPS) websites

20
  Saves reports in plain text, XML, HTML or CSV

 Guess credentials for authorization (including many default username/password

combinations)

Result:
The `nikto` tool has been used to perform a security scan on the domain "ktu.edu.in". `nikto` is
a web server scanner that identifies potential vulnerabilities and security issues on web servers
by sending a series of requests and analyzing the responses.

The scan results provide insights into the security posture of the web server associated with the
provided domain name. `nikto` conducts a comprehensive scan that includes checks for known
vulnerabilities, outdated software, misconfigurations, and potential security risks.

The output of the scan may include information about open ports, discovered directories, files,
and server-specific issues. It can also highlight potential security vulnerabilities such as
outdated software versions, insecure configurations, or exposed sensitive information.

It's important to note that `nikto` is a tool that helps identify potential security issues; it doesn't
guarantee the presence of vulnerabilities. The results should be carefully reviewed and verified,
and any identified issues should be further investigated and addressed.

In summary, the `nikto` scan on the domain "ktu.edu.in" aims to uncover potential security
vulnerabilities and misconfigurations on the web server. The results will aid administrators and
security professionals in understanding the current security state of the web server and taking
appropriate measures to mitigate any identified risks.

Example -

21
 Vega
Vega is a free and open source web security scanner and web security testing platform to test the
security of web applications. Vega can help you find and validate SQL Injection, Cross-Site
Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is
written in Java, GUI based, and runs on Linux, OS X, and Windows.
Vega can help you find vulnerabilities such as: reflected cross-site scripting, stored cross-site
scripting, blind SQL injection, remote file include, shell injection, and others. Vega also probes
for TLS / SSL security settings and identifies opportunities for improving the security of your
TLS servers.
22
Vega includes an automated scanner for quick tests and an intercepting proxy for tactical
inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other
vulnerabilities. Vega can be extended using a powerful API in the language of the web: Javascript.

Example -

Burpsuite

Burp or Burp Suite is a set of tools used for penetration testing of web applications. It is the
most popular tool among professional web app security researchers and bug bounty hunters.

The tools offered by BurpSuite are:

23
 1. Spider:

It is a web spider/crawler that is used to map the target web application. The objective of the
mapping is to get a list of endpoints so that their functionality can be observed and potential
vulnerabilities can be found. Spidering is done for a simple reason that the more endpoints you
gather during your recon process, the more attack surfaces you possess during your actual
testing.

2. Proxy:

BurpSuite contains an intercepting proxy that lets the user see and modify the contents of
requests and responses while they are in transit. It also lets the user send the request/response
under monitoring to another relevant tool in BurpSuite, removing the burden of copy-paste.
The proxy server can be adjusted to run on a specific loop-back ip and a port. The proxy can
also be configured to filter out specific types of request-response pairs.

3. Intruder:

It is a fuzzer. This is used to run a set of values through an input point. The values are run and
the output is observed for success/failure and content length. Usually, an anomaly results in a
change in response code or content length of the response. BurpSuite allows brute-force,
dictionary file and single values for its payload position. The intruder is used for:
 Brute-force attacks on password forms, pin forms, and other such forms.
 The dictionary attack on password forms, fields that are suspected of being
vulnerable to XSS or SQL injection.
 Testing and attacking rate limiting on the web-app.

4. Repeater:

Repeater lets a user send requests repeatedly with manual modifications. It is used for:
 Verifying whether the user-supplied values are being verified.
 If user-supplied values are being verified, how well is it being done?
 What values is the server expecting in an input parameter/request header?
 How does the server handle unexpected values?
 Is input sanitation being applied by the server?
 How well the server sanitizes the user-supplied inputs?
 What is the sanitation style being used by the server?
 Among all the cookies present, which one is the actual session cookie.

5. Sequencer:

The sequencer is an entropy checker that checks for the randomness of tokens
generated by the webserver. These tokens are generally used for authentication in
sensitive operations: cookies and anti-CSRF tokens are examples of such tokens.
Ideally, these tokens must be generated in a fully random manner so that the
probability of appearance of each possible character at a position is distributed
uniformly. This should be achieved both bit-wise and character-wise.
24
 6. Decoder:

Decoder lists the common encoding methods like URL, HTML, Base64, Hex, etc.
This tool comes handy when looking for chunks of data in values of parameters or
headers. It is also used for payload construction for various vulnerability classes. It is
used to uncover primary cases of IDOR and session hijacking.

7. Extender:

BurpSuite supports external components to be integrated into the tools suite to enhance
its capabilities. These external components are called BApps. These work just like browser
extensions. These can be viewed, modified, installed, uninstalled in the Extender window.

When the user credentials were entered by a user we used Burp Suite and trapped the Username
and Password of the data as transferred in plain text format which is a major risk and can lead to
MITM (Man In The Middle) Attack

25
Result:
Also, the Protocol used for data communication on the World Wide Web is HTTP 1.1
(Hypertext Transfer Protocol 1.1) version of HTTP protocol. HTTP 1.1 was not designed with
modern security and performance considerations in mind. While HTTP1.1 supports
compression through the Accepting Encoding header, it does not mandate its use. This means
that a response can be sent uncompressed leading to slower data transfer
It is worth noting that many of the limitations of HTTP 1.1 have been addressed in a
subsequent version, mostly notably in HTTP/2 and HTTP/3. These newer protocols address the
drawbacks of HTTP 1.1 while introducing new features and optimization to improve speed
effectiveness and the security of web communication

26
 SQL Injection

SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere
with the queries that an application makes to its database. It generally allows an attacker
to view data that they are not normallyable to retrieve. This might include data belonging
to other users, or any other data that the application itself is able to access. In many cases,
an attacker can modify or delete this data, causing persistent changes to the application's
content or behavior. In some situations, an attacker can escalate a SQL injection attack to
compromise the underlying server or other back-end infrastructure, or perform a denial-
of-service attack.
A successful SQL injection attack can result in unauthorized access to sensitive data, such as
passwords, credit card details, or personal user information. Many high-profile data breaches
in recent years have been the result of SQL injection attacks, leading to reputational damage
and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an
organization's systems, leading to a long-term compromise that can go unnoticed for an
extended period.

Example -

27
How to detect SQL injection vulnerabilities

The majority of SQL injection vulnerabilities can be found quickly and reliably
using Burp Suite's web vulnerability scanner.

SQL injection can be detected manually by using a systematic set of tests against every
entry point in the application. This typically involves:

 Submitting the single quote character ' and looking for errors or other anomalies.
 Submitting some SQL-specific syntax that evaluates to the base (original) value
of the entry point, and to a different value, and looking for systematic differences
in the resulting application responses.
 Submitting Boolean conditions such as OR 1=1 and OR 1=2, and looking
for differences in the application's responses.
 Submitting payloads designed to trigger time delays when executed within a SQL
query, and looking for differences in the time taken to respond.
 Submitting OAST payloads designed to trigger an out-of-band network
interaction when executed within a SQL query, and monitoring for any resulting
interactions.

Example:

28
 Cross Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected
into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser side script, to a different
end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a
web application uses input from a user within the output it generates without validating or
encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end
user’s browser has no way to know that the script should not be trusted, and will execute the script.
Because it thinks the script came from a trusted source, the malicious script can access any
cookies, session tokens, or other sensitive information retained by the browser and used with that
site. These scripts can even rewrite the content of the HTML page.

Passwo

What are the types of XSS Attacks?

There are three main types of XSS attacks. These are:

 Reflected XSS, where the malicious script comes from the current HTTP request.
 Stored XSS, where the malicious script comes from the website's database.
 DOM-based XSS, where the vulnerability exists in client-side code rather than
server-sidecode.

1.1 What can XSS be used for?

An attacker who exploits a cross-site scripting vulnerability is typically able to:

 Impersonate or masquerade as the victim user.

 Carry out any action that the user is able to perform.
 Read any data that the user is able to access.
 Capture the user's login credentials.
29
  Perform virtual defacement of the web site.
 Inject trojan functionality into the web site.

Example -

30
 RESULT

Reflected XSS

What is reflected in XSS

Reflected XSS (Cross-Site Scripting) is a type of security vulnerability in web
applications where an attacker injects malicious scripts into a website's input fields. When a
user interacts with these fields, the malicious script is included in the web page's response, and
the user's web browser executes the script. This can lead to various attacks, such as stealing
sensitive information, impersonating users, or performing actions on their behalf without their
consent. The term "reflected" indicates that the malicious script is reflected off a legitimate
website to the user's browser, making it appear as part of the original site's content.

Result
After a thorough assessment of the website's security, we attempted a reflected XSS
attack but were unable to find any vulnerabilities of this nature. The website seems to have
implemented strong security measures to prevent such attacks. This is a positive outcome for
the website's security posture, as it indicates that the developers have taken appropriate steps to
mitigate the risk of reflected XSS vulnerabilities. However, it's essential to continue conducting
regular security audits and testing to stay vigilant against emerging threats and maintain a
robust defense against potential vulnerabilities.

31
 Stored XSS

Upon conducting a thorough examination of the website's features and input fields, we
determined that there are no areas where user inputs are stored and later displayed were there.
On the website, the FNA (Frequently Asked Question) section shows in place of QNA
(Question and Answer) which makes the website more secure and avoids areas of input Also no
Comment section was found on the website. As a result, we were unable to identify any
opportunities for a Stored XSS attack on the website. This suggests that the website has taken
proactive measures to prevent the introduction and execution of malicious scripts within its
content.
The absence of potential Stored XSS vulnerabilities is a positive outcome, indicating
that the website's developers have implemented security best practices to safeguard against this
type of attack. Regular security assessments and ongoing monitoring are essential to maintain
the website's security posture and ensure that it remains protected from evolving threats.

Upload Vulnerability Result

Our comprehensive analysis of the website revealed that no input fields were provided for
uploading files, images, or any other content. Furthermore, only the website's designated
administrator possesses the capability to modify details, and these modifications must be made
physically by the administrator. The absence of any upload functionality and the strict control
over content modifications by the admin contribute to a high level of security against upload
vulnerabilities.

This result underscores the website's commitment to security by eliminating potential avenues
for attackers to upload malicious files or content. With the administrator's close oversight and
the absence of upload-related input fields, the website has effectively mitigated the risk of
upload vulnerabilities. However, it's crucial to continue proactive security measures, such as
regular updates and assessments, to ensure the ongoing protection of the website's integrity and
user data.

32
Password Policies

Result
The password policy vulnerability mentioned in the image is that it is too weak. The policy only
requires the password to contain at least one alphabet, one number, and one special character,
and to be at least 6 characters long. This is not enough to create a strong password that is
difficult to guess.
Here are some of the vulnerabilities of this password policy:
 The requirement for at least one alphabet, one number, and one special character can be
easily bypassed by using common patterns such as "123abc" or "password123".
 The minimum length of 6 characters is also too short. A strong password should be at
least 12 characters long.
 The policy does not prohibit the use of dictionary words or personal information, which
makes it easier for attackers to guess the password.
To improve the security of the password policy, the following changes can be made:
 Increase the minimum length of the password to 12 characters.

33
  Prohibit the use of dictionary words and personal information.
 Require the password to contain a mix of upper and lowercase letters, numbers, and
special characters.
 Require the password to be changed every 90 days.
By making these changes, the password policy will be more secure and help to protect users
from password attacks.
Here are some additional tips for creating strong passwords:
 Do not use the same password for multiple accounts.
 Avoid using easily guessed passwords, such as your name, birthday, or address.
 Use a password manager to help you generate and store strong passwords.
 Be careful about clicking on links in emails or opening attachments, as these can be
used to steal your passwords.
By following these tips, you can help to keep your passwords secure and protect your online
accounts from attack.

Dnsdumpster result

34
The image you sent me contains a table of subdomains found by the dnsdumpster website. The
table includes the following information for each subdomain:
 Hostname: The name of the subdomain.
 IP Address: The IP address of the subdomain.
 Reverse DNS: The reverse DNS record for the subdomain.
 Netblock Owner: The owner of the netblock that the subdomain is hosted on.
 Country: The country where the subdomain is hosted.
 Tech/Apps: The technology or application that the subdomain is using.
 HTTP/Title: The title of the webpage that is served by the subdomain over HTTP.
 HTTPS/Title: The title of the webpage that is served by the subdomain over HTTPS.
 FTP/SSH/Telnet: Whether the subdomain is accessible via FTP, SSH, or Telnet.
 HTTP Other: Any other information about the subdomain, such as the number of
subdomains that it has.
The subdomains in the image are all hosted on Amazon Web Services (AWS) in India. The
majority of the subdomains are using the Apache web server, but there are also a few that are
using Nginx. The subdomains are all accessible over HTTP, but only a few of them are
accessible over HTTPS.
The most interesting subdomain in the image is malaysiam.ktu.edu.in. This subdomain is hosted
on a different netblock than the other subdomains, and it is using the Microsoft IIS web server.
This suggests that this subdomain may be used for a different purpose than the other
subdomains.
Overall, the subdomains in the image are all relatively benign. However, it is always important
to be aware of the subdomains that are associated with your website, as they can be used to gain
access to your systems or data.
35
Here are some additional things you can do to protect your website from subdomain attacks:
 Use a strong password for your website's admin account.
 Keep your website's software up to date.
 Use a firewall to block unauthorized access to your website.
 Monitor your website for suspicious activity.
By following these tips, you can help to keep your website secure from subdomain attacks.

Using httprint tool

Result:
The `httprint` tool has been utilized to perform a scan on the domain "ktu.edu.in" using a set of
signatures provided in the "signatures.txt" file. `httprint` is a security tool designed for
fingerprinting web servers based on their HTTP responses.

The scan results provide insights into the characteristics of the web server associated with the
provided domain name. The tool examines the responses of the web server to various HTTP
requests and matches those responses against predefined signatures in the "signatures.txt" file.

The analysis of the HTTP responses enables `httprint` to infer information about the web
server's software, version, and possibly other configuration details. It assists in identifying the
underlying web server technology (e.g., Apache, Nginx, IIS) and potentially identifying specific
versions or variations thereof.

The exact details of the results would depend on the signatures included in the "signatures.txt"
file and the specific responses obtained from the target domain. The output might include
matches with signatures, indicating a likelihood of a certain web server being in use. If no
matches are found, it might suggest that the web server does not conform to the signatures
included in the file, or that the web server employs measures to obfuscate its fingerprint.

In summary, the use of `httprint` with the provided domain "ktu.edu.in" and the "signatures.txt"
file aims to identify the characteristics of the web server powering the domain based on its
HTTP responses. The results will provide insights into the likely technology stack and versions
used by the web server, contributing to a better understanding of the domain's infrastructure
from a security and configuration perspective.

36
Hping for DOS (Denial of Service) attack

Result:
In learning about network testing or tools like `hping`, it's essential to do so in a
responsible and ethical manner. Always ensure that you have explicit permission from the
target network owner before performing any kind of network testing or scanning.

37
 CONCLUSION

We conclude that the project we undertook i.e. Security audit of website https://ktu.edu.in,
using OWASP Methodology for identifying vulnerabilities and potential security threats in the
website has followed a thorough and systematic process for identifying vulnerabilities and
carrying out required analysis.
OWASP Top 10, is a framework for list of prioritized top 10 website vulnerabilities, that helps
for assessing security risks and is used to baseline required website vulnerability testing. The
approach helps to improve security of the application and furthermore reduces risk by providing
mitigation to reduce risk due to potential cyber attacks and data theft.
It is an underline fact that website application testing is a repetitive methodology since it’s not
possible to have full proof secure website due to cyber criminals being smart and coming up
with new and complex ways to exploit and thereby impact smooth functioning of the
application, which reside within the website. Therefore, yearly or half yearly website security
audit should ideally ensure security of website from emerging new cyber threats and associated
cyber attacks.

38
 REFERENCES

1. https://owasp.org/www-project-top-ten/
2. https://cheatsheetseries.owasp.org/IndexTopTen.html
3. https://portswigger.net/web-security/cross-site-scripting
4. https://github.com/payloadbox/sql-injection-payload-list
5. https://www.kali.org/tools/nmap/
6. https://www.kali.org/tools/nikto/
7. https://www.kali.org/tools/sqlmap/

39
40