NETWORK AND INFORMATION SECURITY (NIS - 22620)

MICROPROJECT REPORT ON

“*WEB APPLICATION SECURITY TESTING*”

SUBMITTED BY :

ROLL NO. NAME OF STUDENT ENROLLMENT NO.

25 Harshal Dattatray kakade 2211690052

UNDER THE GUIDENCE OF

PROF. BEDARE A .G.

DEPARTMENT OF COMPUTER ENGINEERING

HSBPVT’S PARIKRAMA POLYTECHNIC, KASHTI

1
NETWORK AND INFORMATION SECURITY (NIS - 22620)

MAHARASHTRA STATE BOARD OF TECHNICAL EDUCATION

DEPARTMENT OF COMPUTER ENGINEERING

HSBPVT’S PARIKRAMA POLYTECHNIC, KASHTI

MAHARASHTRA STATE BOARD OF TECHNICAL EDUCATION
CERTIFICATE

This is
certified that
Mr./Ms.
Roll No.
Of Sixth semester of Diploma in Computer Engineering of institute
HSBPVT’S PARIKRAMA POLYTECHNIC, KASHTI (Code:1169)
has completed the micro-project satisfactorily in course NETWORK
AND INFORMATION SECURITY (NIS - 22620) the academic
year 2024-2025 as prescribed in the curriculum.

Place:-
Date:-

Subject Teacher. H.O.D Principal

2
NETWORK AND INFORMATION SECURITY (NIS - 22620)

INDEX

Sr. No. TITLE Page No.

1 Introduction 4
2 Project objective 5
3 Theoretical background 6
4 Project Methodology 7
5 Screenshot 8
7 Conclusion 9
8 Reference 10

3
NETWORK AND INFORMATION SECURITY (NIS - 22620)

INTRODUCTION

 OVERVIEW OF WEB APPLICATION SECURITY

Web applications are a key part of modern technology, enabling online shopping,
banking, communication, and more. However, their online nature also makes
them vulnerable to cyber-attacks. Web application security involves practices and
tools used to secure websites and web applications from cyber threats and
exploitation.

Cybercriminals often target vulnerabilities in web applications to gain

unauthorized access, steal data, or cause disruptions. Therefore, securing these
applications is vital to maintain data privacy, user trust, and system integrity.

What is Web Application Security Testing?

Web Application Security Testing is the process of checking a website or web

application to find and fix security weaknesses before hackers can exploit them.

 IMPORTANCE OF SECURITY TESTING

o Security testing is essential because:

o It identifies vulnerabilities before hackers do.

o Helps comply with legal standards like GDPR, PCI-DSS, etc.

o Prevents data leaks and financial losses.

o Strengthens the trust of users and stakeholders.

4
 NETWORK AND INFORMATION SECURITY (NIS - 22620)

o Enables early detection and cost-effective mitigation of risks.

 Why is it important?

 To protect user data (like passwords, personal info, payment details).

 To prevent attacks like SQL injection, Cross-site Scripting (XSS), and Cross-site Request
Forgery (CSRF).
 To ensure the website is safe and trusted for users.
 To avoid financial loss or legal issues from data breaches.

 What does it involve?

1. Scanning for vulnerabilities – Finding weak spots in the code or configuration.

2. Penetration testing – Acting like a hacker to see how far they can get.
3. Code review – Checking the source code for insecure coding practices.
4. Authentication testing – Making sure login and sessions are secure.
5. Input validation testing – Ensuring data from users is safely handled.

✅ Final Goal
To make sure the web app is secure, reliable, and resistant to attacks.

5
 NETWORK AND INFORMATION SECURITY (NIS - 22620)

PROJECT OBJECTIVE

 AIM OF THE PROJECT

To test a web application for common security vulnerabilities using both manual and
automated tools, and to analyze the findings for strengthening application
security.

The main objective of this project is to identify and fix security vulnerabilities in a
web application to ensure that it is safe from cyber-attacks. This includes testing
the application for common threats like SQL Injection, XSS, CSRF, broken
authentication, and more, in order to protect user data, maintain privacy, and
improve the overall security of the application.

 SCOPE AND LIMITATIONS

 Scope:

o Focuses on known vulnerabilities listed in OWASP Top 10.

o Uses tools such as Burp Suite, OWASP ZAP, and Nikto.

o Covers basic manual testing techniques.

 Limitations:

o Testing is limited to permission-based applications (ethical hacking).

o Advanced persistent threats and zero-day exploits are not covered.

6
NETWORK AND INFORMATION SECURITY (NIS - 22620)

 THEORETICAL BACKGROUND

 COMMON WEB APPLICATION VULNERABILITIES

o SQL Injection: Manipulating SQL queries through user input to access

or modify data.
o Cross-Site Scripting (XSS): Injecting malicious scripts into web pages
viewed by other users.
o Broken Authentication: Flaws in session management
allowing unauthorized access.
o Cross-Site Request Forgery (CSRF): Forcing users to execute
unwanted actions on web apps.

 OWASP Top 10 Overview

1. Broken Access Control

2. Cryptographic Failures

3. Injection

4. Insecure Design

5. Security Misconfiguration

6. Vulnerable & Outdated Components

7. Identification & Authentication Failures

8. Software & Data Integrity Failures

9. Security Logging & Monitoring Failures

10.Server-Side Request Forgery (SSRF)

7
 NETWORK AND INFORMATION SECURITY (NIS - 22620)

Web applications are widely used for services like online banking, shopping, social
media, and more. As they handle sensitive user data, security becomes a major
concern.
When a web application is not properly secured, it can be vulnerable to attacks such
as:

 SQL Injection (SQLi) – Attackers can access or delete data from the database by injecting
malicious code.
 Cross-Site Scripting (XSS) – Attackers insert harmful scripts into webpages viewed by
other users.
 Cross-Site Request Forgery (CSRF) – Tricks users into performing actions they didn’t
intend.
 Broken Authentication – Weak login systems allow unauthorized access.
To prevent these threats, Web Application Security Testing is performed. It involves
checking:

 How the application handles user inputs

 How securely it manages sessions and logins
 If data is encrypted and properly protected
 If the app follows secure coding practices

Various tools like OWASP ZAP, Burp Suite, and Nmap help testers find and fix
vulnerabilities. Security testing follows guidelines like the OWASP Top 10, which
lists the most common and critical web security issues

8
 NETWORK AND INFORMATION SECURITY (NIS - 22620)

 PROJECT METHODOLOGY

 TEST ENVIRONMENT SETUP

a. OS: Kali Linux (for penetration testing tools)

b. Browser: Mozilla Firefox

c. Web Application: DVWA (Damn Vulnerable Web App) installed on localhost

d. Network: Isolated lab environment for ethical testing

 SELECTION OF TARGET WEB APPLICATION

DVWA was selected because it is intentionally vulnerable and safe to use for testing
without legal or ethical issues.

 STEP-BY-STEP TESTING PROCEDURE

Planning and Information Gathering

 Understand the structure and features of the web application.
 Identify the technologies used (like PHP, JavaScript, databases, etc.).
 Collect basic information such as URLs, forms, input fields, and cookies.

2. Threat Modeling
 List possible threats that could affect the application (like SQL Injection, XSS, CSRF).
 Focus on areas where sensitive data is handled (login pages, forms, database).

3. Vulnerability Scanning
 Use tools like OWASP ZAP or Burp Suite to scan the app for known security issues.
 Identify weak spots in the code, inputs, or configurations.

4. Manual Testing
 Try to exploit vulnerabilities like a hacker would (penetration testing).
 Test login systems, form validations, and session handling.
9
 NETWORK AND INFORMATION SECURITY (NIS - 22620)

5. Analysis and Reporting

 Document the vulnerabilities found and how serious they are.
 Provide screenshots, descriptions, and possible solutions.

6. Fixing and Retesting

 Apply security fixes (like input sanitization or stronger authentication).
 Retest the application to ensure the issues are resolved.

10
NETWORK AND INFORMATION SECURITY (NIS - 22620)

 SCREENSHOT

 RISK ANALYSIS

a. SQLite poses high risk as it may allow DB access.

b. XSS is medium risk, could be used for phishing or session hijacking.

c. Server info exposure is low risk but aids attackers during recon.

11
NETWORK AND INFORMATION SECURITY (NIS - 22620)

Imp
Likeli
Descripti a
Risk ho Solution
on c
od
t
Malicious
querie Validate
s to inputs,
access use
SQL Injection Hig
or High prepare
(SQLi) h
modify d
databa stateme
se nts.
data.
Inserting
harmf Encode
Cross-Site ul Medi output,
Hig
Scripting scripts u sanitize
h
(XSS) into m user
webpa input.
ges.
Tricking
users
Use CSRF
into Me
Cross-Site tokens
makin d Medi
Request and
g i u
Forgery secure
unwan u m
(CSRF) sessions
ted m
.
reques
ts.
Broken Weak Hig High Use strong
Authentic login h passwor
ation system ds,
s session
allowi manage
ng ment.
unaut
horize
d
12
NETWORK AND INFORMATION SECURITY (NIS - 22620)

Imp
Likeli
Descripti a
Risk ho Solution
on c
od
t
access.
Personal
or Ver Encrypt
financi y data,
Sensitive al data Medi
H use
Data leaks u
i HTTPS,
Exposure due to m
g secure
poor
h storage.
encryp
tion.
Incorrect
server Me Regular
Security or d Medi updates
Misconfig softwa i u , secure
urations re u m configur
setting m ations.
s.

13
 NETWORK AND INFORMATION SECURITY (NIS - 22620)

 CONCLUSION

Web application security testing plays a crucial role in identifying and mitigating
vulnerabilities that could be exploited by malicious users. In today’s digital era,
where most organizations rely heavily on web-based systems, ensuring the
security of web applications is paramount to maintaining data integrity,
confidentiality, and availability. Through this project, we explored various aspects
of security testing, including vulnerability assessment, penetration testing, and
the use of automated tools like OWASP ZAP, Burp Suite, and Nikto. These tools
help simulate real-world attacks and allow testers to uncover issues such as SQL
injection, cross-site scripting (XSS), cross-site request forgery (CSRF), security
misconfigurations, and broken authentication.

By understanding the OWASP Top 10 vulnerabilities and testing web applications

accordingly, developers and security professionals can significantly reduce the
attack surface of their applications. Implementing secure coding practices, regular
patch management, and routine security assessments are essential to safeguard
sensitive user data and prevent unauthorized access.

In conclusion, web application security testing is not a one-time activity but a

continuous process that must evolve with emerging threats and technology
changes. Organizations should prioritize security as a core aspect of their
software development lifecycle to build resilient and trustworthy web
applications.

14
NETWORK AND INFORMATION SECURITY (NIS - 22620)

REFERENCES

 OWASP Foundation. (2023). OWASP Top 10 Web Application Security

Risks. Retrieved from: https://owasp.org/Top10/

 Stuttard, D., & Pinto, M. (2011). The Web Application Hacker’s

Handbook: Finding and Exploiting Security Flaws. Wiley Publishing.

 Scarfone, K., & Mell, P. (2007). Guide to Security Testing for

Web Applications. NIST Special Publication 800-115.

 PortSwigger. (n.d.). Burp Suite Documentation. Retrieved

from: https://portswigger.net/burp

 OWASP ZAP Project. (n.d.). Zed Attack Proxy (ZAP). Retrieved

from: https://www.zaproxy.org/

 Nikto Project. (n.d.). Nikto Web Scanner. Retrieved

from: https://cirt.net/Nikto2

 Kals, S., et al. (2006). SecuBat: A Web Vulnerability Scanner. Proceedings

of the 15th international conference on World Wide Web.

 SANS Institute. (2023). Web Application Penetration Testing Techniques.

Retrieved from: https://www.sans.org/

15