SVYASA DEEMED TO BE UNIVERSITY

School of Advanced Studies

Global Sattva City Campus, Mysore Road, Bengaluru-560059

Synopsis Report On:

“Security Testing on Web Application”

(MCSC250)

Submitted in partial fulfilment of the requirements for the course of the 2nd
semester.
MASTER OF COMPUTER APPLICATIONS
By
Anil - (2222408006)
Preethi Jain M Y - (2222408104)
Bhumika V Katti - (222240107)
Lavanya D - (2222408111)

Under the guidance of

MR TOUSIF
PROJECT MENTOR
S VYASA SCHOOL OF ADVANCED STUDIES, BENGALURU

2024-25

1
 INDEX

SI NO Content Pg no

1 Abstract 3

2 Keywords 4

3 List of figures 5

4 Chapters:1 Introduction 6

5 Chapters:2 Literature Survey 7

6 Chapters:3 Objectives of the Work 8

7 Chapters:4 Proposed Method 9-12

8 Chapters:5 Expected Outcomes 13

9 Conclusion 14

10 References 15

2
 Abstract

As web applications continue to evolve and become integral to modern business operations,
the importance of securing these applications against potential threats has never been greater.
Cyberattacks targeting web applications are on the rise, and vulnerabilities within these
applications can lead to significant data breaches, loss of reputation, and financial damage. To
address these concerns, security testing plays a crucial role in identifying and mitigating
vulnerabilities before they can be exploited by malicious actors.

This project, titled “Security Testing on Web Application,” focuses on conducting manual
security testing to identify common vulnerabilities in web applications. Utilizing the bWAPP
(Buggy Web Application) platform, a deliberately vulnerable web application designed for
educational purposes, this project aims to simulate real-world attacks and assess security flaws
across different web application layers. The primary objective is to test and exploit
vulnerabilities based on the OWASP Top 10 list, which includes critical risks such as SQL
Injection, Cross-Site Scripting (XSS), and Sensitive Data Exposure. The project will
explore each vulnerability in-depth, applying manual testing methodologies to identify
weaknesses, document findings, and propose remediation steps. By using a hands-on, practical
approach, this project aims to provide a thorough understanding of web application security,
while also enhancing skills related to ethical hacking, vulnerability assessment, and
remediation techniques. The knowledge gained from this project will be valuable for both web
developers and cybersecurity professionals, ensuring that they are better equipped to design
and maintain secure web applications in today’s threat landscape.

3
 Keywords

• Web Application Security

• Security Testing, bWAPP
• OWASP Top 10
• SQL Injection
• Cross-Site Scripting (XSS)
• Ethical Hacking
• Vulnerability Assessment
• Cybersecurity

4
 List of Figures

• Figure 1: Kali Linux Termina

• Figure 2: bWAPP( buggy web application)
• Figure 3:XAMPP
• Figure 4:Burp Suite
• Figure 5:NMAP(Scanned bWAPP)

5
 Chapter 1: Introduction

In today’s interconnected digital landscape, web applications play a pivotal role in the delivery
of services, information, and transactions. However, with the increasing dependence on web
technologies, the security of these applications has become a critical concern. Web applications
are often subjected to a wide range of cyber threats, including unauthorized access, data
breaches, and denial-of-service attacks. Consequently, robust security measures and thorough
testing are essential to protect sensitive data and maintain the integrity of web systems.This
project, titled “Security Testing on Web Application,” focuses on performing comprehensive
manual security testing to identify vulnerabilities within web applications. The objective is
to simulate real-world attack scenarios and identify common security flaws that could
compromise the application's security posture. For this purpose, we utilize bWAPP (Buggy
Web Application), an intentionally vulnerable web application designed for educational
purposes, which provides a controlled environment for security testing.

Manual security testing enables a detailed and investigative approach, allowing testers to assess
vulnerabilities that might not be immediately apparent through automated testing tools. This
project aims to cover a range of vulnerabilities from the OWASP Top 10 list, including SQL
Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Broken
Authentication. The focus will be on exploring each vulnerability in-depth, understanding
how they can be exploited, and documenting findings for remediation.Through this project,
participants will gain hands-on experience with the tools, techniques, and methodologies used
in web application security testing. The knowledge acquired will not only enhance
understanding of web security but also provide valuable skills applicable in real-world
cybersecurity roles, ensuring that future web applications are built with a security-first mindset.

6
 Chapter 2: Literature Survey

Security testing for web applications is a crucial process to ensure that web-based systems are
free from vulnerabilities that could be exploited by attackers. With the increasing reliance on
web technologies in various industries, security testing has become essential to protect sensitive
data, user privacy, and maintain the integrity of web applications. The OWASP Top 10
vulnerabilities serve as a primary reference for understanding the most common and critical
risks, including SQL Injection, Cross-Site Scripting (XSS). Tools like OWASP ZAP, Burp
Suite, and Nikto are commonly used for scanning vulnerabilities in web applications, but
manual testing remains vital for detecting complex and logic-based issues that automated tools
may miss. Manual penetration testing techniques such as input validation, session management
testing, and business logic testing are widely used to simulate real-world attacks and identify
vulnerabilities that could be exploited by malicious actors.

While automated tools provide quick scans for well-known vulnerabilities, they are limited in
detecting intricate attack vectors and logical flaws in application flow. According to various
studies, a combination of both automated and manual security testing ensures a more
comprehensive assessment. Ethical hacking plays a significant role in this process, as security
professionals simulate real-world attacks to uncover weaknesses and help organizations patch
them before malicious hackers can exploit them.

7
 Chapter 3: Objectives of the Work

• To understand the significance of security testing in protecting web applications from

common cyber threats and vulnerabilities.
• To identify and analyse common security vulnerabilities in web applications, especially
those listed in the OWASP Top 10.
• To evaluate various security testing methodologies, including vulnerability scanning,
static and dynamic analysis, and penetration testing.
• To explore and compare popular security testing tools (such as Burp Suite, Nikto etc.)
in terms of effectiveness and usability.
• To implement a structured approach to security testing that can be applied to real-world
web applications.
• To recommend best practices and mitigation strategies for developers to reduce the risk
of security breaches in web applications.

8
 Chapter 4: Proposed Method

4.1 Environment Setup using Kali Linux:

Kali Linux is a specialized Linux distribution designed for penetration testing, ethical
hacking, and network security assessments. It is widely used by security professionals due to
its comprehensive suite of pre-installed tools and utilities.

Key Features:
• Comprehensive Toolset:
o Information Gathering: Nmap
o Vulnerability Analysis: OpenVAS, Nikto
o Web Application Testing: Burp Suite, OWASP ZAP, SQLMap
• Customizability: Tailor the OS to your specific needs.
• Live Boot Capability: Run Kali from USB/DVD without installation.
• Multi-Language Support & Regular Updates

Figure 1: Kali Linux Terminal

9
4.2 Setting Up the Target Web Application (bWAPP):

The selected platform is bWAPP (Buggy Web Application), an open-source, intentionally

insecure application used for practicing security testing techniques.

Vulnerabilities Covered:

• SQL Injection (SQLi)

• Cross-Site Scripting (XSS)
• Command Injection
• And other OWASP Top 10 vulnerabilities

Setup Instructions:

• Install XAMPP
• Download bWAPP from: https://sourceforge.net/projects/bwapp/
• Place bWAPP in the htdocs directory of XAMPP
• Start Apache and MySQL in XAMPP Control Panel
• Create a database in http://localhost/phpmyadmin
• Access bWAPP via browser: http://localhost/bwapp/install.php

Figure 6:bWAPP( buggy web application) Figure 7:XAMPP

10
4.3 Tool Integration for Testing: To effectively test the web application, the following tools
will be used

1. Burp Suite: Purpose: Burp Suite is an integrated platform for performing security testing of
web applications. It provides manual and automated testing capabilities for vulnerabilities like
SQL Injection, Cross-Site Scripting (XSS), and others.

o Usage:
▪ Intercepting Traffic: Set Burp Suite as a proxy in your browser to
intercept traffic between the web application and your browser.
▪ Intruder & Repeater: Manually test for vulnerabilities by injecting
different payloads into various input fields and observing responses.

Figure 8:Burp Suite

2. Nmap (Network Mapper):

o Purpose: Nmap is a network scanning tool that helps in discovering open ports
and identifying the services running on them. This provides a way to identify
potential attack vectors or weak spots in the application's infrastructure.
o Usage:
▪ Port Scanning: Run an Nmap scan (e.g., nmap -sV -O localhost) to
identify open ports and services on the bWAPP application.
▪ Vulnerability Identification: Analyze the results for any open services,
such as HTTP, MySQL, or others, that could be exploited.

11
 Figure 9:NMAP(Scanned bWAPP)

3. Nikto Web Scanner

• Purpose: Checks for known web server and application vulnerabilities.

• Usage: Scan bWAPP for outdated versions, misconfigurations, and exposure points.

4. DirBuster / DirB

• Purpose: Brute-force directories and files on a web server.

• Usage: Use wordlists to find hidden or unlinked directories and resources.

4.4. Manual Testing Workflow

1. Explore basic app features (login, signup).

2. Identify input fields for testing.
3. Inject simple payloads (SQLi, XSS).
4. Observe app behavior and errors.
5. Record vulnerabilities found.

4.5. Manual Test Plan

1. Test input validation (SQLi, XSS).

2. Check authentication (wrong credentials).
3. Test session management (log out/in).
4. Verify authorization (restricted access).
5. Check error handling (detailed error messages).

12
 Chapter 5: Expected Outcomes

1. Detection of Major Flaws

The project will identify major security issues like SQL Injection, XSS, and Broken
Authentication from the OWASP Top 10.

2. Risk Evaluation
Each vulnerability found will be analyzed to understand its impact and how serious it is for
the web application.

3. Clear Test Findings

A complete report will be prepared showing all test results, how the bugs were found, and
what they mean.

4. Fix Suggestions
For every issue found, the report will include simple and practical ways to fix or reduce the
risk.

5. Security Awareness
The project will show why security testing is important by demonstrating real examples of
how websites can be attacked.

6. Better Development Practices

It will suggest secure coding practices to avoid common mistakes in future web applications.

7. Testing Process Documentation

A well-organized guide will be included, explaining every step taken, tools used, and issues
found.

13
 Conclusion

This project provides a detailed approach to manual security testing for web applications,
focusing on identifying and analyzing vulnerabilities aligned with the OWASP Top 10. Using
an intentionally vulnerable application like bWAPP, it aims to simulate real-world attack
scenarios to understand common flaws such as SQL Injection, Cross-Site Scripting (XSS), and
Command Injection. Through this process, the project emphasizes the critical role of manual
testing in detecting complex security issues that automated tools may overlook. It highlights
the value of human intuition and judgment in web security assessment, aiming to contribute to
safer and more resilient web application development practices.

Advantages:

1. Thorough Vulnerability Detection: Manual testing can uncover critical flaws

that automated tools may miss.
2. Practical Skill Development: Offers real-world experience in identifying and
understanding web application vulnerabilities.
3. Focus on OWASP Top 10: Targets the most common and dangerous web
vulnerabilities for impactful testing.

Disadvantages:

1. Time-Consuming Process: Manual testing requires more time and effort

compared to automated methods.
2. Risk of Human Error: Mistakes or oversight may lead to missing important
vulnerabilities.
3. Limited Scalability: Not ideal for large or complex applications due to testing
constraints.

14
 References

1. Stuttard, Dafydd, and Marcus Pinto. The Web Application Hacker's Handbook:
Finding and Exploiting Security Flaws. 2nd ed., Wiley Publishing, 2011.
2. McGraw, Gary. Software Security: Building Security In. Addison-Wesley, 2006.
3. OWASP Foundation. “OWASP Top Ten Web Application Security Risks.” OWASP,
2023. https://owasp.org/www-project-top-ten/
4. Antunes, J., Neves, N., Correia, M., & Verissimo, P. “Vulnerability Discovery with
Attack Injection.” IEEE Transactions on Software Engineering, vol. 36, no. 6, 2009,
pp. 703–717.
5. Scandariato, R., Walden, J., & Joosen, W. “Static Analysis Techniques for Web
Application Security: A Survey.” IEEE Transactions on Software Engineering, vol.
41, no. 10, 2015, pp. 926–944.
6. OWASP ZAP Project. “Zed Attack Proxy (ZAP).” OWASP, 2024.
https://www.zaproxy.org
7. PortSwigger Ltd. “Burp Suite Documentation.” PortSwigger Web Security, 2024.
https://portswigger.net/burp
8. bWAPP Project. “bWAPP: A Buggy Web Application.” ITSEC Games, 2023.
http://www.itsecgames.com
9. Nikto Web Scanner. “Nikto2.” CIRT.net, 2024. https://cirt.net/Nikto2
10. SANS Institute. “Web Application Security Testing Methodologies.” SANS
Whitepapers, 2022. https://www.sans.org/white-papers

15