Scribd
Upload
12 views11 pages

CSS Practical File

Uploaded by

Badri Robotics
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
12 views11 pages

CSS Practical File

Uploaded by

Badri Robotics
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
Download as pdf or txt
You are on page 1/ 11

Practical 1

Aim: Practical demonstration of buffer overflow vulnerability and attack. Write


down the solutions available to mitigate the buffer overflow attack.
Code Snippet:

Code Explanation:
This C program is designed to print the name of the executable and a substring of
the first command-line argument provided to it. It includes the necessary header
files, `stdio.h` for input/output functions and `string.h` for string manipulation.
Within the `main` function, the program initializes a character array `a` with a size
of 5 to store part of the input string. It first outputs the name of the program,
which is accessed through the first element of the `argv` array. Next, it utilizes
`strncpy` to copy up to 5 characters from `argv[1]`, representing the first command-
line argument, into the array `a`. Finally, the program prints the contents of `a`.
However, it’s important to note that if `argv[1]` is shorter than 5 characters, `a` may
not be null-terminated, potentially leading to undefined behavior when printed.
Proper handling of null termination is crucial when using `strncpy` to avoid such
issues.
Practical 2

Aim: Practical demonstration of race conditions and vulnerability and attack. What
are possible solutions for race conditioning vulnerability.

Code Snippet:

• Soln:

Code Explanation:
The code consists of two implementations for managing a bank account balance
with threads in C. In the first implementation, two threads increment (deposit) and
decrement (withdraw) the balance without any synchronization, leading to race
conditions and an inconsistent final balance. The second implementation uses a
mutex to synchronize access to the balance, ensuring that only one thread modifies
it at a time. This prevents race conditions, resulting in a correct final balance that
matches the expected value.
Practical 3

Aim: Practical demonstration of dirty cow vulnerability an attack.

Code Snippet:
Code Explanation:
This C program modifies a file's memory mapping using two threads. It takes a
target file and new content as arguments. The first thread repeatedly advises the
kernel to discard the mapped memory with `madvise`, while the second thread
writes the new content to `/proc/self/mem` at the mapped address. After running
for 5 seconds, both threads are stopped, and resources are cleaned up. The
program demonstrates a way to manipulate memory mapping and file content
concurrently.
Practical 4

Aim: Installation Demonstration of Burp Suite Tool.


Installation Guide:
1. Open the official website of Portswigger and download the script file.
2. Check the Download folder or where you save the burp suite script file.
3. Locate the Burp suite script file and open the terminal and write the
command:
➢ chmod +x burpsuite community linux v2022 3 9.sh
4. Now your burp suite file is ready for executing
5. Type ./burp-suite-file-name
6. Loading the installation wizard and click the Next

7. Now your burp is ready for use after the completion of the setup.

Result: The following experiment shows how the installation process the
completed successfully.
Practical 5

Aim: Practical demonstration of XSS using burp suite tool.

Theory: Cross-Site Scripting (XSS) is a security vulnerability where an


attacker injects malicious scripts into a website, which then get executed in
the user’s browser. This can lead to data theft, session hijacking, or site
defacement.

Demonstration:

Set up Burp Suite: Open Burp Suite, go to the proxy tab, and ensure
Intercept is on. Configure your browser to use Burp Suite proxy.

Find XSS Vulnerability: Find a web page with an input field for example
search box, comment section.
Intercept Request: Burp Suite intercepts the request. Go to the Proxy and
make sure the intercept is on before sending the request.

Test with Repeater: In the Repeater tab, modify the request with the
following payload and resend it.

<script>alert(1)</script>
Verify XSS: You can see in the Response the script is embedded inside the
response as a javascript rather than a simple string.

Also, if you check on the browser it will show up the alert box in the web
page which confirms the presence of XSS Vulnerability.

Result: The XSS vulnerability was successfully demonstrated by injecting the


script `<script>alert(1)</script>`. The alert box appeared in the browser,
confirming that the web application is vulnerable to XSS due to improper input
sanitization.
Practical 6

Aim: Practical demonstration of CSRF vulnerability and attack and the possible
solutions for CRSF attack also.

Code Snippet:
1. HTML Code:

2. Python Code With CSRF protection:

3. Python Code Without CSRF Protection:


Explanation: The first code implements better security and form handling
practices. It uses Flask-WTF for structured form handling and includes
CSRF protection via `CSRFProtect`, ensuring that all form submissions
are validated and protected against Cross-Site Request Forgery (CSRF)
attacks. The form is defined as a class, making it easier to manage and
maintain. In contrast, the second code lacks CSRF protection and
handles form data manually, making it vulnerable to CSRF attacks.
Additionally, the second code does not validate the form input, making it
less secure overall. Both codes use session management, but the first one
provides stronger protection due to CSRF tokens.

Result: This code represents the working of CSRF Attack and it also
shows the protection.
Practical 7

Aim: Practical demonstration of SQL injection vulnerability and attack


and the possible solutions for SQL injection attack also.

Code Snippet:

Explanation: The code demonstrates a vulnerable login system where


user inputs are directly concatenated into an SQL query without proper
sanitization. This opens the application to **SQL Injection** attacks. For
example, entering `admin' OR '1'='1` as the username will bypass
authentication by tricking the query into always returning true, allowing
unauthorized access.

Result: The login system is vulnerable to SQL Injection, as demonstrated


by entering `admin' OR '1'='1`. This allowed unauthorized access by
bypassing the authentication mechanism, confirming the application's
susceptibility to this type of attack.

You might also like