For Semester 4

Module 04: Web Application Security and Hacking (60 Hours)

Unit 1: Web Application Basics (10 Hours)

Concepts:

1. HTTP/HTTPS and Web Architecture Basics:

o Fundamentals of HTTP/HTTPS protocols, status codes, and methods (GET, POST, PUT,
etc.).

o SSL/TLS concepts and the role of certificates in secure communication.

o Overview of web architecture: client-server model, web servers, and APIs.

2. OWASP Top 10 Vulnerabilities Overview:

o Introduction to OWASP (Open Web Application Security Project).

o Explanation of the OWASP Top 10 vulnerabilities and their business impact.

o Understanding risks like injection, authentication flaws, and sensitive data exposure.

3. Introduction to Web Application Testing Tools:

o Overview of tools like Burp Suite, OWASP ZAP, and Acunetix.

o Setting up a testing environment using DVWA (Damn Vulnerable Web App).

o Basics of reconnaissance for web applications.

Practical Exercises:

 Exploring HTTP requests and responses using browser developer tools.

 Identifying OWASP Top 10 vulnerabilities in a simulated environment.

 Configuring and exploring Burp Suite for traffic interception.

Unit 2: Attacks on Web Applications (20 Hours)

Concepts:

1. Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF):

o Understanding stored, reflected, and DOM-based XSS.

o Crafting and injecting malicious payloads for XSS attacks.

 o Exploiting CSRF vulnerabilities and forging malicious requests.

2. SQL Injection Techniques and Evasion Strategies:

o Basics of SQL and how queries can be manipulated.

o Exploiting login bypass, UNION-based, and error-based SQL injection.

o Evading detection through obfuscation and alternative payloads.

3. File Inclusion and Code Injection Attacks:

o Understanding Local File Inclusion (LFI) and Remote File Inclusion (RFI).

o Exploiting vulnerable scripts to execute arbitrary code.

o Case study: PHP-based file inclusion vulnerabilities.

Practical Exercises:

 Identifying and exploiting XSS vulnerabilities in a test application.

 Performing SQL injection attacks on a vulnerable web application.

 Demonstrating LFI and RFI using test environments.

Unit 3: Practical Web Application Hacking (20 Hours)

Concepts:

1. Using Burp Suite for Testing Web Applications:

o Configuring Burp Suite for proxying and scanning.

o Manual testing of vulnerabilities: XSS, CSRF, and SQL injection.

o Using Burp Suite extensions for advanced testing.

2. Automating Tests with Tools like Acunetix and W3af:

o Overview of automated vulnerability scanning tools.

o Configuring and running scans on sample web applications.

o Analyzing results and identifying false positives.

3. Hands-On Lab: Exploiting Vulnerabilities in a Test Web Application:

o Setting up and attacking intentionally vulnerable applications like DVWA, Juice Shop, and
bWAPP.

o Performing comprehensive vulnerability assessments.

o Exploiting vulnerabilities in authentication, session management, and data validation.

Practical Exercises:

 Running manual scans and exploiting vulnerabilities with Burp Suite.

 Conducting automated scans using Acunetix and analyzing reports.

 End-to-end lab: performing a full vulnerability assessment of a web application.

Unit 4: Countermeasures and Reporting (10 Hours)

Concepts:

1. Implementing Secure Coding Practices:

o Writing secure code to mitigate injection, XSS, and CSRF.

o Input validation, parameterized queries, and proper error handling.

o Secure session management techniques.

2. Web Application Firewall (WAF) Configuration:

o Role of WAFs in protecting web applications.

o Configuring WAFs like ModSecurity for OWASP Top 10 threats.

o Testing WAFs using penetration testing tools.

3. Preparing a Comprehensive Security Report:

o Structuring a professional security assessment report.

o Including details of findings, risk analysis, and remediation steps.

o Presentation of results to stakeholders.

Practical Exercises:

 Writing secure code samples to prevent XSS and SQL injection.

 Configuring and testing a WAF for a test application.

 Preparing a detailed security report based on lab exercises.

Unit 5: Case Studies and Future Trends in Web Security (10 Hours)

Concepts:

1. Case Studies:

o Analysis of major web security breaches: Yahoo, Equifax, and SolarWinds.

o Lessons learned and best practices for preventing such attacks.

 2. Emerging Threats in Web Application Security:

o Understanding API security vulnerabilities.

o Rise of serverless computing and associated risks.

o Advanced evasion techniques used in modern attacks.

3. Future Trends in Web Security:

o Role of Artificial Intelligence and Machine Learning in web security.

o Introduction to DevSecOps for integrating security in CI/CD pipelines.

o Advances in secure coding frameworks and tools.

Practical Exercises:

 Discussing real-world breaches and their impact in group activities.

 Simulating attacks on APIs and serverless architectures.

 Researching and presenting on future web security trends.

Learning Outcomes:

By completing this module, participants will:

1. Understand core concepts of web application security and common vulnerabilities.

2. Gain hands-on experience with industry-standard tools for testing and securing web
applications.

3. Develop skills to mitigate and report web security risks effectively.

4. Be equipped with knowledge of emerging threats and trends in web security.