ETHICAL HACKING

A PROJECT REPORT

Submitted by

Hatib Ayaz Khan

20BCS4831
in partial fulfillment for the award of the degree of

BACHELOR OF ENGINEERING
IN

COMPUTER SCIENCE ENGINEERING

Chandigarh University

NOVEMBER 2023
CERTIFICATE
 INDEX

S.no Content Page Number

1. Front page 1
2. Certificate 2

3. Index 3

4. Acknowledgement 4

5. Declaration 5

6. Abstract 6

7. Introduction 7

8. Problem statement 8-9

9. Necessary scans 10-13

10. Required screenshots 14-16

11. Developers report (including the 17- 35

Vulnerabilities found, their impacts and
their solutions)

12. Conclusion and project solution 36

 ACKNOWLEDGEMENT

I would like to thank the platform internshala for providing the course, the
Knowledge and the environment (the hacking labs) and completing the course
successfully. I will also like to thank my family and friends for supporting me
through the process and helping me wherever needed. They also helped me stay
focused on my goals and helped me achieving them

Hatib Ayaz Khan

20BCS4831
B.E CSE
 DECLARATION
I hereby declare that this project based on ethical hacking has been carried out by
my own efforts and facts arrived at by my own observations. I am hence submitting
this project to my college and I also promise that this project has not been submitted
in any university before. As this is my original work.

Name: Hatib Ayaz Khan Date:

 Abstract
This paper explores the ethics behind ethical hacking and whether there are problems
that lie with this new field of work. Since ethical hacking has been a controversial
subject over the past few years, the question remains of the true intentions of ethical
hackers. The paper also looks at ways in which future research could be looked into
to help keep ethical hacking, ethical.
 INTRODUCTION
In this course, we were given videos to learn from. There were a total of 9 chapters in
the course and each chapter was divided into modules. Each module had a small test
after its completion and after each chapter, we had to attempt a test. Without which we
won9t be able to move to the next chapter. I made written notes while watching all the
videos which later helped me, where needed. Doing this also helped me preserve this
knowledge with myself forever.
At the end of the course, we were given a problem statement. Based on which, we
had to create the project.
Internshala also provided us with hacking labs for real life experience and for project
competition, we were provided a website we had to work on.
PROBLEM STATEMENT
Necessary scans
Required screenshots
 DEVELOPER9S REPORT
E-COMMERCE WEBSITE
LIFESTYLE STORE
DETAILED PROJECT REPORT
vulnerabilities:
1. Sql injections

Observation
Navigate to the T-Shirt tab where you will see a number of T-shirts. Notice the GET parameter
CAT in the URL:

We apply a single quote in cat parameter: products.php?cat=19 and we get complete

MySQL error:
 • We then put --+ : products.php?cat=19--+ and we error is removed confirming SQL
injection.
• Now hacker can inject sql or use sqlmap to get access to the database

Business Impact 3 Extremely High

Using this vulnerability, an attacker can execute arbitrary SQL commands on a Lifestyle store server
and gain complete access to internal databases along with all customer data inside it.
Previous slide has the screenshot of users table which shows user credentials being leaked that too
in plain text without any hashing/encryption.
Attackers can use this information to login to admin panels and gain complete admin level access to
the website which could lead to complete compromise of the server and all other servers connected
to it.
RECOMMENDATIONS
1. Use whitelists, not blacklists
2. Don9t trust any user input
3. Adopt the latest technologies
4. Ensure Errors are Not User-Facing
5. Disable/remove default accounts, passwords and databases References:
https://www.owasp.org/index.php/SQL_Injection and https://en.wikipedia.org/wiki/SQL_injection
2. Access to admin panel
Proof of Concept (PoC)
Hackers can change the admin password . Hackers can also add and delete pages. Hackers can
upload any malicious file.

Business impact - Extremely High

• Hacker can do anything with the page, he will have full access to the page and can govern the page
according to it's will.
• It is a massive business risk.
• Loss can be very high.
RECOMMENDATIONS
1. The default password should be changed and a strong password must be set up.
2. The admin url must also be such that it's not accessible to normal users.
 3. Password changing option must be done with 2 to 3 step verification. References:
https://www.owasp.org/index.php/Default_Passwords and
https://www.us-cert.gov/ncas/alerts/TA13-175A 3. Arbitrary file upload

Observations:

Proof of concept
•Weak password - admin.
• Arbitrary File Inclusion.
Business Impact 3 Extremely High
A malicious user can access the Dashboard which discloses many critical information of an
organisation including: Important files, Passwords, and much more...
Any backdoor file or shell can be uploaded to get access to the uploaded file on a remote server and
data can be exfiltrated. The presence of an actual malicious file can compromise the entire system
leading to system takeover/ data stealing.
Recommendation
•Change the Admin password to something strong and not guessable.
•The application code should be configured in such a way that it should block uploading of malicious
files extensions such as exe/ php and other extensions with a thorough server as well as client
validation. CVE ID allocated:CVE-2017-14521.
References: https://www.owasp.org/index.php/Unrestricted_File_Upload and
https://www.opswat.com/blog/file-upload-protection-best-practices
Recommendation
Take the following precautions:
1. Use a strong password 8 character or more in length with alphanumerics and symbols.
2. It should not contain personal/guessable information.
3. Do not reuse passwords.
4. Disable default accounts and users.
5. Change All Passwords To Strong Unique Passwords.
References:
https://www.owasp.org/index.php/Testing_for_weak_password_change_or_reset_functionalities_(OT
G-AUTHN-009) and https://www.owasp.org/index.php/Default_Passwords and
https://www.us-cert.gov/ncas/alerts/TA13-175A
4. Account takeover using OTP bypass

Observation
• Navigate to http://13.126.196.134/reset_password/admin.php?otp= and You will see the user login
page via OTP.

• Following request will be generated containing OTP parameters.

• Now We're Brute Forcing It.

• And we easily got the valid otp.

POC
• Now a hacker can change the password of the admin dashboard.

Business Impact 3 Extremely High

A malicious hacker can gain complete access to any account just by brute forcing the otp. This leads
to complete compromise of personal user data of every customer.
Attackers once logged in can then carry out actions on behalf of the victim which could lead to
serious financial loss to him/her.
Recommendation
Take the following precautions:
• Use proper rate-limiting checks on the no of OTP checking and Generation requests.
• Implement anti-bot measures such as ReCAPTCHA after multiple incorrect attempts.
• OTP should expire after a certain amount of time like 2 minutes.
• OTP should be at least 6 digit and alphanumeric for more security.
References: https://www.owasp.org/index.php/Testing_Multiple_Factors_Authentication_(OWASPAT-
009) and https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
5. CSRF Observation:
• Here you can see a 7 digit password ,but due to csrf I'll change the password at the moment he
wants to update.
• Here's the file I opened while changing password , when we click on send the password will
change to 12345.
POC: Here's the code generated by burp suite community edition.

Observation: CSRF in cart

Here you can see, the order is placed unwantedly by the user through CSRF.
POC: Here's the code generated by burp suite community edition.

Business Impact 3 Very High

1. Hackers can change the password of any user .
2. Hackers can make users do unwanted things.
3. It makes a very bad impact on the website in front of the user.
4. Hackers can remove and confirm orders in the cart of the user.
Recommendations: Take the following precautions:
•Implement an Anti-CSRF Token.
•Do not show the customers of the month on the login page.
•Use the Same Site Flag in Cookies.
•Check the source of the request made.
•Take some extra keys or tokens from the user before processing an important request.
•Use 2 factor confirmations like otp , etc. for critical requests.
References: https://www.netsparker.com/blog/web-security/csrf-cross-site-request-forgery/ and
https://digitalguardian.com/blog/how-secure-personally-identifiable-information-against-loss-or-compr
omise
6. Reflected Cross Site Scripting (XSS)

Observation
Open edit profile through URL and write a script on the address bar.

POC
Business impact - High
As an attacker can inject arbitrary HTML CSS and JS via the URL, the attacker can put any content
on the page like phishing pages, install malware on the victim's device and even host explicit content
that could compromise the reputation of the organisation.
All an attacker needs to do is send the link with the payload to the victim and the victim would see
hacker controlled content on the website. As the user trusts the website, he/she will trust the content.
Recommendation: Take the following precautions:
• Sanitise all user input and block characters you do not want.
• Convert special HTML characters like 8 < < > into HTML entities &quot; %22 &lt; &gt; before printing
them on the website.
References: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) and
https://en.wikipedia.org/wiki/Cross-site_scripting , https://www.w3schools.com/html/html_entities.asp
7. Stored Cross Site Scripting (XSS)

Observations: Now try entering the payload in the review box.

Hit the post button , you can see stored XSS or permanent XSS.
Business impact - High
As an attacker can inject arbitrary HTML CSS and JS via the URL, the attacker can put any content
on the page like phishing pages, install malware on the victim's device and even host explicit content
that could compromise the reputation of the organisation.
All an attacker needs to do is send the link with the payload to the victim and the victim would see
hacker controlled content on the website. As the user trusts the website, he/she will trust the content.
Recommendation: Take the following precautions:
• Sanitize all user input and block characters you do not want.
• Convert special HTML characters like 8 < < > into HTML entities &quot; %22 &lt; &gt; before printing
them on the website.
References: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) and
https://en.wikipedia.org/wiki/Cross-site_scripting , https://www.w3schools.com/html/html_entities.asp
8. COMMON PASSWORD

Business Impact 3 high

Easy, default and common passwords make it easy for attackers to gain access to their
accounts, illegal use of them and can harm the website to any extent after getting logged into
privileged accounts.
Recommendation
•There should be password strength check at every creation of an account.
•There must be a minimum of 8 characters long password with a mixture of numbers ,
alphanumerics, special characters ,etc.
•There should be no repetition of password ,neither on change nor reset.
•The password should not be stored on the web, rather should be hashed and stored.

References: https://www.acunetix.com/blog/articles/weak-password-vulnerability-common-think/ and

https://www.owasp.org/index.php/Testing_for_Weak_password_policy_(OTG-AUTHN-007)
9. Component with known vulnerability

Business Impact 3 high

Exploits of every vulnerability detected are regularly made public and hence outdated software can
very easily be taken advantage of.If the attacker comes to know about this vulnerability ,he may
directly use the exploit to take down the entire system, which is a big risk.
Recommendations:
• Upgrade to the latest version of Affected Software/theme/plugin/OS which means latest version.
• If upgrade is not possible for the time being, isolate the server from any other critical data and
servers.
References: https://usn.ubuntu.com/4099-1/ (for ubuntu) and
https://www.exploit-db.com/exploits/37820 and
https://securitywarrior9.blogspot.com/2018/01/vulnerability-in-wonder-cms-leading-to.html
10. Server misconfiguration
Observations and
POC:
Recommendation:
1. Keep the software up to date.
2. Disable all the default accounts and change passwords regularly.
3. Develop strong app architecture and encrypt data which has sensitive information.
4. Make sure that the security settings in the framework and libraries are set to secured values.
5. Perform regular audits and run tools to identify the holes in the system.
References: https://www.ifourtechnolab.com/blog/owasp-vulnerability-security-misconfiguration
11. Unauthorised access to user details(IDOR)

Observations:When we change the payload we can see the receipts of other users or customers.
POC: Here you can clearly see the receipt of another user.

Business Impact 3 Extremely High

A malicious hacker can read bill information and account details of any user just by knowing the
customer id and User ID. This discloses critical billing information of users including:
•Mobile Number
•Bill Number
•Billing Period
•Total number of orders ordered by customer
•Bill Amount and Breakdown
•Phone no. and email address
•Address
This can be used by malicious hackers to carry out targeted phishing attacks on the users and the
information can also be sold to competitors/blackmarket. Moreover, as there are no rate limiting
checks, attackers can bruteforce the user_id for all possible values and get bill information of each
and every user of the organisation resulting in a massive information leakage.
Recommendation: Take the following precautions:
•Implement proper authentication and authorisation checks to make sure that the user has
permission to the data he/she is requesting.
•Use proper rate limiting checks on the number of requests coming from a single user in a small
amount of time.
•Make sure each user can only see his/her data only.
References: https://www.owasp.org/index.php/Insecure_Configuration_Management and
https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References
12. Directory Listings

POC:
1. In the above observation you can see that a hacker can go through these directories easily
and gather as much information as he/she wants.
2. In Fact it also shows some accounts of sellers.

Business Impact 3 Moderate: Although this vulnerability does not have a direct impact on users or
the server, it can aid the attacker with information about the server and the users. Information Disclosure due
to default pages are not exploitable in most cases, but are considered as web application security issues
because they allow malicious hackers to gather relevant information which can be used later in the attack
lifecycle, in order to achieve more than they could if they didn9t get access to such information.
Recommendation
1. Disable all default pages.
2. Enable multiple security checks.

References: https://www.netsparker.com/blog/web-security/information-disclosure-issues-attacks/ and

https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/information-disclosure-phpinfo/
13. Personal information leakage
Observations:
Navigate to the URL, And you can see the whole path where everyone's photo is stored.

Business Impact 3 Moderate: Although this vulnerability does not have a direct impact on
users or the server, it can help the attacker in mapping the personal information of any account
and plan further attacks on any specific account.
Recommendations:
• You can apply encryption to the personal data.
• You can add authenticity and authorization to access the other data.
References: https://cipher.com/blog/25-tips-for-protecting-pii-and-sensitive-data/ and
https://digitalguardian.com/blog/how-secure-personally-identifiable-information-against-loss-or-compromise
14. Client side and server side validation bypass
Observation: Here we intercepted the request and made changes in the contact number field.
POC: mobile number is saved as zero.
 Business Impact 3 Moderate:The data provided by the
user ,if incorrect, is not a very big issue but still must be checked
for proper validatory information.
Recommendations:
1. Implement all critical checks on server side code only.
2. Client-side checks must be treated as decoratives only.
3. All business logic must be implemented and checked on the
server code. References:
http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handling
and https://www.owasp.org/index.php/Unvalidated_Input 15. Default messages:
Observation & POC: Here we added payload as shown above and we got an error.

Business Impact 3 Moderate

Although this vulnerability does not have a direct impact on users or the server, it can help the
attacker in mapping the server architecture and plan further attacks on the server.
Recommendations: Do not display the default error messages because it not only tells about the
server but also sometimes about the location.So, whenever there is an error ,send it to the same
page or throw some manually written error.
References: https://www.owasp.org/index.php/Improper_Error_Handling 16.
Open redirecting:
Observations: Here we made changes to the url according to the payload.

POC: we are redirected to google.

Business Impact 3 low:

An http parameter may contain a URL value and could cause the web application to redirect the
request to the specified URL. By modifying the URL value to a malicious site.
Recommendations:
1. Disallow Offsite Redirects.
2. If you have to redirect the user based on URLs, instead of using untrusted input you should
always use an ID, which is internally resolved to the respective URL.
3. If you want the user to be able to issue redirects you should use a redirection page that
requires the user to click on the link instead of just redirecting them.
4. You should also check that the URL begins with http:// or https:// and also invalidate all other
URLs to prevent the use of malicious URIs such as javascript: References:
https://cwe.mitre.org/data/definitions/601.html and
https://www.hacksplaining.com/prevention/open-redirects
Conclusion
We were successfully able to find all the vulnerabilities and discussed their impacts and solutions. Hence
completing the project along with the report. As we say above, some vulnerabilities were very harmful for
the website, whereas, some were moderately harmful. Learning ethical hacking helped us identify them and
solve them. I therefore find this skill very helpful and hope to work with it in the future.
Project solution: