CB3591/ESSS/UNIT 4/V-CSE/SRRCET

SRI RAJA RAAJAN COLLEGE OF ENGINEERING AND TECHNOLOGY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

III-YEAR-CSE

2021 R

SUB CODE: CB3591

SUB NAME: ENGINEERING SECURE SOFTWARE SYSTEM

UNIT IV

SECURITY TESTING

Traditional Software Testing – Comparison – Secure Software Development Life Cycle – Risk Based
Security Testing – Prioritizing Security Testing With Threat Modeling – Penetration Testing –
Planning and Scoping – Enumeration – Remote Exploitation – Web Application Exploitation Exploits
and Client Side Attacks – Post Exploitation – Bypassing Firewalls and Avoiding Detection – Tools for
Penetration Testing

PREPARED BY VERIFIED BY APPROVED BY

[Link] CHITHRA HOD DEAN

1
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

PART A

1. What is traditional software testing?

Answer:
Traditional software testing focuses on verifying functionality, performance, and correctness of
software without considering security aspects.

2. How does security testing differ from traditional software testing?

Answer:
Security testing identifies vulnerabilities and ensures the software is protected against threats,
whereas traditional testing verifies functional correctness.

3. What is Secure Software Development Life Cycle (SSDLC)?

Answer:
SSDLC is an approach where security is integrated into every phase of the software development
lifecycle to build secure applications.

4. Why is SSDLC important?

Answer:
SSDLC helps in detecting and fixing security flaws early, reducing cost, risk, and effort in later
stages.

5. Define Risk-Based Security Testing.

Answer:
It is a testing approach that focuses on identifying and testing the most critical security risks
based on threat analysis.

6. What is the key objective of risk-based security testing?

Answer:
To prioritize and allocate testing resources to areas with the highest security risks.

7. What is Threat Modeling?

Answer:
Threat modeling is a process of identifying, analyzing, and mitigating potential security threats
to a system.

2
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

8. How does threat modeling help in security testing?

Answer:
It helps prioritize security testing by identifying which areas are most vulnerable to threats.

9. Define Penetration Testing.

Answer:
Penetration Testing is a simulated cyberattack performed to find and exploit vulnerabilities in a
system.

10. What are the phases of penetration testing?

Answer:
Phases include planning, reconnaissance, enumeration, exploitation, post-exploitation, and
reporting.11. What is the purpose of planning and scoping in penetration testing?

Answer:
It defines objectives, target scope, rules of engagement, and legal boundaries for the penetration
test.

12. What is enumeration in penetration testing?

Answer:
Enumeration involves actively gathering detailed information about the target like usernames,
shares, and services.

13. What is remote exploitation?

Answer:
It refers to exploiting vulnerabilities in a system from a remote location without physical access.

14. What is web application exploitation?

Answer:
It involves exploiting vulnerabilities in web apps such as SQL injection, XSS, and authentication
bypass.

15. Give two examples of client-side attacks.

3
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Answer:
Cross-Site Scripting (XSS) and malicious browser plugins are examples of client-side attacks.

16. What is post-exploitation?

Answer:
Post-exploitation is the phase where the attacker maintains access, gathers data, and escalates
privileges after initial compromise.

17. What does bypassing firewalls mean in security testing?

Answer:
It refers to techniques used to avoid detection and access systems protected by firewall rules.

18. Mention one method to avoid detection during a penetration test.

Answer:
Using encrypted communication or polymorphic payloads helps avoid intrusion detection
systems.

19. Name two tools used in penetration testing.

Answer:
Nmap and Metasploit are commonly used tools in penetration testing.

20. Why is tool selection important in penetration testing?

Answer:
The right tools help effectively identify vulnerabilities and simulate real-world attacks
efficiently.

4
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Part B

[Link] in details about Traditional Software Testing.

Definition:

Traditional software testing is the process of evaluating and verifying that a software application
performs its intended functions correctly without focusing on security aspects.

Main Objective:

To ensure:

 Functionality

 Reliability

 Performance

 Usability

Phases of Traditional Testing:

1. Requirement Analysis

2. Test Planning

3. Test Case Design

4. Test Environment Setup

5. Test Execution

6. Defect Reporting and Tracking

5
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

7. Test Closure

Types of Traditional Testing:

Type Purpose

Unit Testing Test individual units/components

Integration Testing Test combinations of units

System Testing Test the entire system end-to-end

Acceptance Testing Verify system meets business needs

Regression Testing Check that changes didn’t break existing features

Diagram

Limitations of Traditional Testing:

6
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

 Focuses on functionality, not on security or vulnerability detection.

 May miss critical threats and exploits.

 Doesn’t simulate real-world attacks.

When Traditional Testing Is Not Enough:

 In applications handling sensitive data.

 For web-facing or networked software.

 When compliance and data protection are critical.

2. Compare Traditional Testing vs Security Testing.

Aspect Traditional Software Testing Security Testing

Main Focus Functionality, performance, and correctness Identifying vulnerabilities and ensuring protection

To check whether the software meets To ensure software can withstand malicious
Goal
requirements attacks

Based on functional specs and user

Test Cases Based on threats, risks, and attack vectors
requirements

Vulnerability Scanning, Penetration Testing, Fuzz

Types of Testing Unit, Integration, System, Acceptance
Testing

Tools Used Selenium, JUnit, QTP, TestNG Burp Suite, Nessus, Metasploit, Nmap

Performed By QA Testers or Developers Ethical Hackers, Security Analysts

Security Coverage Not considered High priority; main objective

Detection Finds bugs, logic errors, performance issues Finds security holes and loopholes

Test Environment Simulated real-user scenarios Simulates attacker environment

Example Bug Button doesn’t work, crash on login SQL Injection, XSS, Privilege Escalation
7
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Aspect Traditional Software Testing Security Testing

[Link] SECURE SOFTWARE DEVELOPMENT LIFE CYCLE (SSDLC)

Definition:

The Secure Software Development Life Cycle (SSDLC) is a framework that integrates
security practices into every phase of the software development life cycle (SDLC), ensuring
that software is developed securely from the start.

Main Goal:

To identify and mitigate security risks early in the software development process, reducing cost
and enhancing software safety and compliance.

Phases of SSDLC with Security Activities:

Phase Security Activities

- Identify security requirements

1. Requirements
- Regulatory and compliance checks (e.g., GDPR)

- Threat modeling
2. Design - Security architecture
- Risk analysis

3. Implementation - Secure coding standards

- Code reviews
8
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Phase Security Activities

- Use of security libraries

- Static and dynamic analysis

4. Testing - Penetration testing
- Fuzz testing

- Secure configuration
5. Deployment - Patch management
- Encryption setup

- Continuous monitoring
6. Maintenance - Security updates
- Incident response

Diagram: SSDLC Workflow

9
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Benefits of SSDLC:

 🛡Improved security of the final product

 💸 Reduces cost of fixing late-stage issues

 📈 Ensures compliance with standards and laws

 🔍 Minimizes risk of data breaches and attacks

 🧠 Promotes security-aware culture in development

10
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Common Tools Used:

 SAST (Static Analysis): SonarQube, Fortify

 DAST (Dynamic Analysis): OWASP ZAP, Burp Suite

 Threat Modeling: Microsoft Threat Modeling Tool

 Code Analysis: Checkmarx, Veracode

Conclusion:

SSDLC ensures that security is not an afterthought. It builds secure software by incorporating
security measures from planning to post-deployment.

4. Explain Risk-Based Security Testing (RBST)

Definition:

Risk-Based Security Testing is a testing approach that prioritizes and focuses on testing the
most critical areas of the application based on risk levels.

Main Goal:

 To identify, analyze, and test parts of the software that are most vulnerable or likely to
be attacked.

 To use limited resources effectively by focusing on high-risk areas.

Key Concepts in RBST:

Term Meaning

Risk The possibility of a threat exploiting a vulnerability

11
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Term Meaning

Risk Level Combination of likelihood and impact of a threat

Prioritization Testing areas with higher risk first

Mitigation Actions taken to reduce the risk

Identify Assets

Identify Threats
Perform Testing
& vulnarabilities

Prioritize Tests
Assess Risks
(High-risk first)

Steps Involved in RBST:

1. Asset Identification
→ What needs to be protected (data, components, APIs, etc.)

2. Threat & Vulnerability Identification

→ Use threat modeling to find potential threats.

12
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

3. Risk Assessment
→ Evaluate likelihood and impact of threats.

4. Prioritize Test Cases

→ Test high-risk areas first (e.g., login systems, payment gateways)

5. Execute Security Tests

→ Use tools and techniques like penetration testing, SAST, DAST.

6. Fix & Retest

→ Mitigate the vulnerabilities and validate the fixes.

Benefits of Risk-Based Security Testing:

 🧠 Smart resource usage – focus where it's needed most

 Saves time and cost – avoids unnecessary testing

 🔐 Better security – addresses the most critical risks

 📋 Improves test planning – based on realistic threat models

Tools Commonly Used:

 Threat Modeling: OWASP Threat Dragon, Microsoft TMT

 Risk Assessment: FAIR, CVSS

 Security Testing: OWASP ZAP, Burp Suite, Nessus

Conclusion:

Risk-Based Security Testing helps to test smarter, not harder. It ensures that the most
vulnerable and impactful parts of the application are secured first.

5. Explain Prioritizing Security Testing with Threat Modeling

Definition:

Threat modeling is the process of identifying, analyzing, and evaluating potential threats to
a system.
13
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

By combining it with security testing, we can prioritize which areas to test first based on
threat severity and risk level.

Why Use Threat Modeling in Security Testing?

 Helps to focus on high-risk areas first

 Prevents wasting time on low-impact components

 Identifies what an attacker is likely to target

How Prioritization Works:

Step Purpose

1. Asset Identification Know what needs protection (e.g., user data, payment info)

2. Threat Modeling Identify how the system can be attacked

3. Risk Evaluation Use impact and likelihood to calculate risk

4. Prioritize Test Cases High-risk threats are tested first

5. Perform Security Tests Use tools to verify vulnerabilities (SAST, DAST, Pen-testing)

Diagram: Threat Modeling in Security Testing

+---------------------------+
| 1. Identify Assets |
| (What needs protection?) |
+---------------------------+
↓
+---------------------------+
| 2. Create Architecture |
| Diagrams |
+---------------------------+
↓
+---------------------------+
| 3. Identify Threats |
| (STRIDE, attack trees) |
+---------------------------+
↓
+---------------------------+
| 4. Assess Risks |
| (Impact × Likelihood) |
14
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

+---------------------------+
↓
+---------------------------+
| 5. Prioritize Testing |
| (Focus on top threats) |
+---------------------------+

Common Threat Modeling Techniques:

Technique Description

Identifies six threat types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of
STRIDE
Service, Elevation of Privilege

Attack Trees Visual representation of attack paths

DREAD Rates risk using Damage, Reproducibility, Exploitability, Affected Users, Discoverability

Benefits:

 🎯 Focused security testing

 🔒 Stronger protection of critical assets

 💡 Better understanding of system weaknesses

 Efficient use of time and testing resources

Conclusion:

By using threat modeling to prioritize security testing, teams can test what matters most
first, ensuring stronger and more efficient software protection.

[Link] in details abot the Penetration Testing

Definition:

15
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Penetration Testing, also known as ethical hacking, is the process of simulating real-world
cyberattacks on a system, application, or network to identify and exploit security
vulnerabilities.

Objective:

 To find and fix security weaknesses before real attackers do

 To assess the effectiveness of security controls

 To evaluate risk and ensure compliance

Diagram: Penetration Testing Process

1. Planning and Reconnaissance

 This stage involves defining the scope and objectives of the penetration test. It's crucial to
understand what systems or networks will be tested and what testing methods will be
employed.

16
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

 During reconnaissance, information about the target system is gathered. This includes details
like network names, domain records, and any publicly available information about the
organization's infrastructure.

2. Scanning

 In this phase, various tools and techniques are used to understand how the target application
responds to intrusion attempts.

 Static analysis involves inspecting the application's code without executing it. This helps
identify potential vulnerabilities based on code structure and logic.

 Dynamic analysis involves inspecting the application's behavior while it's running. This
provides real-time insights into how the application responds to different inputs and
interactions.

3. Gaining Access

 Once vulnerabilities are identified in the scanning phase, this stage focuses on exploiting
those vulnerabilities to gain unauthorized access to the target system.

 Common techniques include exploiting flaws like SQL injection or cross-site scripting to
gain control over the application or system.

4. Maintaining Access

 After gaining initial access, the goal is to establish a persistent presence within the system.
This mimics the behavior of real attackers who aim to maintain access over an extended
period.

 Techniques like establishing backdoors, escalating privileges, and maintaining persistence

are employed to ensure continued access to the system.

5. Analysis

 Once the penetration test is complete, the results are compiled into a detailed report.

 This report includes information about the vulnerabilities that were successfully exploited,
any sensitive data accessed, and the duration of undetected access.

17
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

 Security personnel analyze this information to understand the effectiveness of existing

security measures and to prioritize remediation efforts.

 Penetration testing methods

 Here are the main Penetration testing methods follows:

 Penetration-testing-methods

 Penetration testing methods

External Testing

 This test targets a company's online assets, like its website, web applications, email systems,
and domain name servers (DNS). The goal is to break in and steal valuable data, just like a
real hacker would.

 Purpose: This method helps organizations understand their vulnerabilities from an external
threat perspective, highlighting weaknesses that malicious actors could exploit. It enables
proactive mitigation of risks before they are exploited by real attackers.

Internal Testing

 Here, a tester who has access to the company's internal systems simulates an attack from
within. This could be like an employee's account being hacked through a phishing attack,
even if the employee themselves isn't doing anything wrong.

 Purpose: The aim is to evaluate the effectiveness of internal security controls and detection
mechanisms. By simulating an insider threat scenario, organizations can identify weaknesses
in their internal security posture and improve measures to prevent unauthorized access.

Blind Testing

 In this test, the tester only knows the name of the company. This simulates a real attack,
showing how the company's security team responds in real time without prior knowledge of
the test.

 Purpose: This approach tests the organization's incident response capabilities and readiness
to handle unexpected attacks. It helps assess how effectively security teams detect, respond
to, and mitigate security breaches without advance notice, reflecting real-world attack
scenarios.
18
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Double-Blind Testing

This is like a surprise drill. The security team doesn't know about the test in advance, so they
can't prepare. This shows how well they can handle unexpected attacks.

Purpose: The objective is to evaluate the organization's overall security posture, including the
effectiveness of monitoring and response mechanisms under realistic conditions.

It provides insights into the organization's ability to detect and mitigate security threats without
prior preparation or knowledge of the simulated attack.

Targeted Testing

Both the tester and the company's security team know about the test and work together. This is a
training exercise where the security team gets live feedback from the tester, learning how to
improve their defenses.

Purpose: This method serves as a controlled exercise to train and validate the response
capabilities of the security team.

It allows for real-time feedback from the tester, facilitating continuous improvement of security
measures and incident response protocols based on identified vulnerabilities and weaknesses.

Types of Penetration Testing

 Black Box Penetration Testing:- In this Method attacker does not know the target as it
exactly simulates an actual cyber attack where an actual black hat hacker attacks.

 This testing takes time as the attacker does not know the system so he gathers them.

 This method is used to find existing vulnerabilities in the system and to simulate how far a
hacker can go into the system without any info about the system.

Grey Box Penetration Testing:- In this method, the attacker is provided with a bit more
information about the target like network configurations, subnets, or a specific IP to test,
Attacker has a basic idea of how the machine is to which he/she is going to perform an attack,
they may also be provided with low-level login credentials or access to the system which helps
them in having a clear approach, This saves time of Reconnaissance the target.
19
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

White Box Penetration Testing:- We can say that in this testing method attackers have
developer-level knowledge about the system which also includes an assessment of source code,
Ethical hackers have full access to the system more in-depth than black box testing. It is used to
find out potential threats to the system due to bad programming, misconfigurations, or lack of
any defensive measures.

Penetration testing and web application firewalls

 Penetration testing utilizes WAF data such as logs, except in blind and double blind tests, to
identify and exploit application weaknesses.

 WAF administrators use pen testing results to update configurations and enhance protection
against vulnerabilities discovered during testing.

 Penetration testing satisfies compliance requirements for security audits like PCI DSS and
SOC 2.

 Standards like PCI-DSS 6.6 mandate a certified WAF, but pen testing remains crucial for
improving WAF configurations and overall security.

Advantages of the Penetration test

 The penetration test can be done to find the vulnerability which may serve as a weakness for
the system.

 It is also done to identify the risks from the vulnerabilities.

 It can help determine the impact of an attack and the likelihood of it happening.

 It can help assess the effectiveness of security controls.

 It can help prioritize remediation efforts.

 It can ensure that the system is secure.

 It can be used to test the security of any system, no matter how large or small.

 It can be used to find vulnerabilities in systems that have not yet been exploited.

 It can be used to assess the effectiveness of security controls in place.

 It can be used to educate employees about security risks.

Disadvantages of the Penetration test

20
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

 The penetration test which is not done properly can expose data that might be sensitive and
more.

 The penetration tester has to be trusted, otherwise, the security measures taken can backfire.

 It is difficult to find a qualified penetration tester.

 Penetration testing is expensive.

 It can be disruptive to business operations.

 It may not identify all security vulnerabilities.

 It may give false positives (incorrectly identifying a vulnerability).

 It may give false negatives (failing to identify a vulnerability).

Penetration testing tools

Nmap: It is a network exploration tool and security scanner. It can be used to identify hosts and
services on a network, as well as security issues.

Nessus: It is a vulnerability scanner. It can be used to find vulnerabilities in systems and

applications.

Wireshark: It is a packet analyzer. It can be used to capture and analyze network traffic.

Burp Suite: It is a web application security testing tool. It can be used to find security issues in
web applications.

7. Enumeration in Penetration Testing

Enumeration is a critical phase in penetration testing where an ethical hacker actively connects
to a target system to gather detailed information about it. This information can later be used to
identify vulnerabilities and exploit them.

Definition

Enumeration is the process of extracting usernames, machine names, network resources,

shares, and services from a system. It involves active information gathering, unlike passive
techniques such as footprinting.

21
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Key Objectives of Enumeration

 Discover valid usernames and groups

 Identify network shares

 Determine operating systems and service banners

 List running services and ports

 Detect vulnerabilities in protocols (e.g., SMB, SNMP, LDAP)

Common Enumeration Techniques

Technique Purpose
NetBIOS Enumeration Discover shared resources and users
SNMP Enumeration Get system info via Simple Network Management Protocol
SMTP Enumeration Identify valid email accounts on the mail server
DNS Enumeration Gather info about domain names and IPs
LDAP Enumeration Access user and group info in directory services
NFS Enumeration Discover exposed file systems
RPC Enumeration Gather details about Remote Procedure Calls on a system

Popular Enumeration Tools

Tool Use Case

Nmap Port and service discovery
Netcat Manual banner grabbing
Enum4linux SMB/NetBIOS enumeration
SNMPWalk SNMP information extraction
Nikto Web server vulnerability scanning
Dirb / Gobuster Directory and file enumeration on websites

Enumeration Process (with Diagram)

+----------------+ +-----------------+ +------------------+
| Target System | <---> | Enumeration Tool| <-----> | Penetration Tester|
+----------------+ +-----------------+ +------------------+
^ |
| Active Info Gathering |
+---------------------------+
22
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Why Enumeration Matters in Security Testing

 Helps identify attack surface

 Aids in privilege escalation

 Reveals weak configurations or default settings

 Forms the foundation for further exploitation

Example
nmap -sV -T4 [Link]

 -sV is used to enumerate services running on open ports.

[Link] Exploitation – Notes

Definition:

Remote Exploitation is the process where an attacker targets a vulnerable system over a
network (like the internet or LAN) to gain unauthorized access, execute malicious code, or
take control.

Objective:

Gain control of the remote system

Bypass security mechanisms

Access sensitive data

Use the compromised system to attack others

Key Steps in Remote Exploitation:

Information Gathering
23
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Identify IP, open ports, services

Tools: Nmap, Netcat, Nikto

Vulnerability Scanning

Identify software flaws or misconfigurations

Tools: OpenVAS, Nessus, MSF Auxiliary

Gaining Access

Exploit vulnerabilities (e.g., buffer overflow, unpatched services)

Use Metasploit modules, custom scripts

Privilege Escalation

Move from limited user to root/admin

Use kernel exploits, misconfigured permissions

Maintaining Access

Install backdoors, web shells, or persistence scripts

Covering Tracks

Delete logs, hide payloads, obfuscate tools

Common Tools:

Metasploit Framework

Hydra (for brute force)

Netcat

Nmap

Burp Suite (for web apps)

24
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Common Remote Exploits:

Remote Code Execution (RCE)

SQL Injection (remote DB control)

Remote Buffer Overflow

Web App Exploits (e.g., XSS + CSRF)

Remote Exploitation – Diagram

Here is a simple architecture to represent the Remote Exploitation Process:

+------------------+ Scan +-------------------+

| Attacker Machine | --------------> | Target System |

| (Kali Linux etc) | <-------------- | (Web/App Server) |

+------------------+ Response +-------------------+

| |

| Exploit Found (via port/service/vuln)

|-------------------------------->

| Shell Access or Payload Execution

|<--------------------------------

| Privilege Escalation

|<--------------------------------

25
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

| Backdoor/Reverse Shell

|<--------------------------------

| Data Exfiltration / Control

|<--------------------------------

Real-Life Example:

CVE-2017-5638 (Apache Struts2 RCE):

Remote attackers exploited a vulnerability in Apache Struts2 to execute arbitrary

commands on servers hosting vulnerable versions.

Summary:
Step Description

Reconnaissance Identify target systems and open ports

Scanning Detect vulnerabilities and versions

Execute payload or shellcode on the

Exploitation
target

Privilege Escalation Gain admin/root privileges

Maintain Access Set backdoors or reverse shells

Clear Tracks Remove logs and hide presence

[Link] Application Exploitation – Notes

Definition:

Web Application Exploitation refers to attacking vulnerabilities in web applications

(websites or web APIs) to gain unauthorized access, steal data, or take control of web servers
or client machines.
26
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Common Web Application Vulnerabilities:

Vulnerability Description

SQL Injection (SQLi) Inserting malicious SQL to control DB

Cross-Site Scripting
Injecting malicious JavaScript
(XSS)

Cross-Site Request
Forcing users to perform unwanted actions
Forgery (CSRF)

Command Injection Executing system-level commands on server

File Upload
Uploading malicious files (web shells)
Vulnerabilities

Broken Authentication Flaws in login/logout/session management

Improper settings (e.g., directory listing, debug

Security Misconfiguration
mode on)

Tools Used:

Burp Suite

OWASP ZAP

Nikto

SQLMap

Wfuzz, DirBuster

Client-Side Attacks – Notes

Definition:

27
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Client-Side Attacks exploit vulnerabilities in the user's browser, plugins, or web content
loaded from a website. The attacker tricks the user into executing malicious code in the browser.

Common Client-Side Attacks:

Attack Type Description

XSS (Cross-Site
Injected scripts run in victim's browser
Scripting)

User clicks something they don’t see (invisible

Clickjacking
frame)

Drive-by Download Auto-download malware when a page is visited

CSRF Makes user send malicious request to trusted site

Malicious Ads
Advertisements with hidden malicious code
(Malvertising)

Client-Side Attack Tools:

BeEF (Browser Exploitation Framework)

SET (Social Engineering Toolkit)

Maltego

Wireshark (to inspect traffic)

DIAGRAM – Web & Client-Side Attack Flow

+---------------+ +-----------------------+

| Attacker | | Victim User (Client) |

| (with payload)| | Using Browser |

+-------+-------+ +----------+------------+

28
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

| |

| Inject Malicious Script (XSS) |

|<------------------------------------|

| |

| User clicks/link/loads web app |

|------------------------------------>|

| Script Executes in Browser |

| Sends Cookies/Data to Attacker |

|<------------------------------------|

Real-Life Examples:

XSS in Facebook (2013): Allowed attackers to hijack Facebook accounts using

malicious posts.

SQL Injection in Yahoo (2012): Allowed attackers to steal user data by exploiting login
vulnerabilities.

Summary Table:
Type Example Tool Goal

SQL Injection SQLMap Access database illegally

XSS Burp Suite Steal cookies, run scripts

Custom
CSRF Perform actions as a user
Scripts

File Upload Upload shells to get server

Manual/Burp
Attack access

Clickjacking CSS/HTML Trick user into clicking hidden UI

29
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Type Example Tool Goal

Tricks

Drive-by
Exploit Kits Install malware silently
Download

[Link] in detail about Post Exploitation .

Definition:

Post Exploitation refers to the activities carried out after successfully exploiting a target
system. The attacker now has access and focuses on:

Gathering sensitive data

Maintaining access

Pivoting to other systems

Covering tracks

It’s all about what you do after breaking in.

Objectives of Post Exploitation:

Objective Purpose

Information
Extract system, network, and user info
Gathering

Privilege Escalation Gain admin or root access

30
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Objective Purpose

Persistence Maintain long-term access

Data Exfiltration Steal files, passwords, tokens

Lateral Movement Move to other machines in the network

Avoid detection by cleaning logs and

Covering Tracks
history

Steps in Post Exploitation:

System Reconnaissance

Collect OS details, user accounts, running processes

Command examples: whoami, ipconfig, netstat

2. Password and Token Dumping

Extract credentials from memory or password files

Tools: Mimikatz, LaZagne

3. Privilege Escalation

Use kernel exploits or misconfigurations

Tools: Linux Exploit Suggester, WinPEAS, LinPEAS

4. Persistence
31
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Add new admin user, install backdoor

Schedule scripts or install services to regain access

5. Lateral Movement

Move inside the network to attack other systems

Tools: PsExec, Impacket, CrackMapExec

6. Covering Tracks

Delete logs, clear history, disguise malware

Commands: rm -rf /var/log, Clear-EventLog

Diagram – Post Exploitation Workflow

| Exploited System |

| Information Gathering |

| - OS, Users, Network Info |

| Privilege Escalation |

| - Gain Admin/Root Rights |

32
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

| Maintain Access |

| - Backdoors, Auto-Scripts |

| Lateral Movement |

| - Attack Other Systems |

| Cover Tracks |

| - Delete Logs, Hide Tools|

Tools Used in Post Exploitation:

Tool Use Case

Metasplo
Post modules for gathering info, privilege escalation
it

Mimikat
Dump passwords/tokens on Windows
z

Empire Post-exploitation framework for Windows

BloodHo
Visualize and exploit Active Directory
und

PowerSh
Used for stealthy Windows exploitation
ell

Netcat Create reverse shells and data transfer

33
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Key Outcomes of Post Exploitation:

Gain deeper access into the network

Maintain stealthy long-term control

Steal confidential information

Fully understand and document the target’s environment

If you want, I can also:

Give you practical lab/demo steps using Metasploit

Provide a printable PDF version

Help create notes for exams or viva preparation

11.🔥 Bypassing Firewalls and Avoiding Detection – Notes

Definition:

Firewall Bypass: Techniques used to evade firewall rules that block unauthorized access
to or from a network.

Avoiding Detection: Strategies to hide attacker activities from security tools like IDS
(Intrusion Detection Systems), antivirus, and logging systems.

These techniques are used during reconnaissance, exploitation, and especially post-
exploitation stages of penetration testing.
34
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

🔐 Goals:
Goal Description

Avoid being blocked during

Evade firewalls
communication

Bypass IDS/IPS Avoid detection of malicious behavior

Stay hidden from

Don’t show up in logs or alerts
admins

Maintain persistence Stay inside the system undetected

Common Techniques for Bypassing Firewalls:

1. Port Redirection

Use open ports (e.g., port 80 or 443) to tunnel malicious traffic.

Tools: SSH tunneling, Socat, ProxyChains

2. Tunneling (Protocol Encapsulation)

Wrap malicious payload in allowed protocols (e.g., HTTP/S, DNS).

Tools: DNSCat2, ICMP Tunneling

3. Reverse Shell

Target connects back to attacker on an allowed port (e.g., HTTPS).

Tools: Netcat, msfvenom, Metasploit

4. Proxy Servers/VPN

Route traffic through proxy or VPN to hide origin.

Techniques for Avoiding Detection:

35
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

1. Payload Obfuscation

Encode or encrypt payloads to bypass antivirus.

Tools: Veil, Shellter, msfvenom -e

2. Living off the Land (LotL)

Use native system tools like PowerShell, WMI, certutil to avoid suspicion.

3. Log Cleaning

Delete or modify logs to erase traces.

Commands: Clear-EventLog, delete .bash_history, remove log files

4. 🧬 Stealthy Malware

Use polymorphic (changing shape) or fileless malware to avoid AV.

5. 📡 Slow and Low

Send commands or data in small chunks to avoid IDS rate-based alerts.

🧰 Tools Used:
Tool Purpose

ProxyChai
Route traffic through proxies
ns

Tor Anonymize traffic

Veil-
Create AV-bypassing payloads
Evasion

36
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Tool Purpose

Contains evasion and payload

Metasploit
tools

Ncat/
Covert communication
Netcat

Diagram – Firewall Bypass & Detection Avoidance

Real-World Example:

Reverse HTTPS Payload:

37
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Attacker creates a Metasploit payload that connects back on port 443 (looks like HTTPS).

Firewalls allow it.

Payload is encoded to bypass antivirus.

Attacker gets a shell.

Summary Table:
Technique Purpose Tool Example

Inbound blocked? Go Netcat,

Reverse Shell
outbound Metasploit

Protocol Hide in DNS/HTTP/ICMP

DNSCat2, Iodine
Tunneling traffic

Payload Encoding Avoid antivirus Veil, msfvenom

Log Clearing Remove traces PowerShell, Bash

Low & Slow Evade IDS thresholds Manual, scripted

LotL Tools Avoid AV detection PowerShell, WMI

[Link] the tools for Penetration Testing.

Here's a complete and clear list of tools used in Penetration Testing, categorized by the
phases of the penetration testing life cycle, along with short descriptions. This is useful for
both academic study and practical learning.

Penetration Testing Phases & Tools

Purpo
Phase Tool Name
se

1.
Reconnaissanc
e

38
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Purpo
Phase Tool Name
se

Port scanning and network

- Nmap
discovery

- Maltego Information gathering and OSINT

- Recon-ng Web-based reconnaissance

Email, subdomain, people info

- theHarvester
search

2. Scanning and
Enumeration

- Nessus Vulnerability scanning

- Nikto Web server scanning

Full-featured vulnerability
- OpenVAS
scanner

- Enum4linux Windows/Linux enumeration

- Netcat Banner grabbing, port listening

3. Gaining Access
(Exploitation)

Exploitation, payload
- Metasploit Framework
generation

- SQLMap Automated SQL injection

- BeEF Browser exploitation

- Hydra Brute force login attacks

39
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

3. Gaining Access
(Exploitation)

- John the Ripper Password cracking

4. Privilege Escalation

Privilege escalation enumeration

- WinPEAS/LinPEAS
tools

- PowerUp Windows privilege escalation

- Linux Exploit
Find kernel/local exploits on Linux
Suggester

5. Maintaining
Access

- Netcat
Remote shell & backdoor setup
(Backdoor)

- Empire Post-exploitation & persistence

Persistent payload from

- Meterpreter
Metasploit

6. Covering Tracks

- Clearev (Metasploit) Clear Windows logs

Remove command
- PowerShell Scripts
history/logs

40
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

6. Covering Tracks

- bash_history
Delete Linux shell history
manipulation

7.
Reporting

Reporting platform for pentest

- Dradis
results

- Faraday Collaborative pentesting platform

- Serpico Automated pentest reporting

Categorized Summary Table

Category Tools

Reconnaissanc
Nmap, theHarvester, Maltego, Recon-ng
e

Scanning Nessus, OpenVAS, Nikto, Netcat, Enum4linux

Metasploit, SQLMap, Hydra, BeEF, John the

Exploitation
Ripper

Post
Meterpreter, Mimikatz, PowerShell Empire
Exploitation

Password
John the Ripper, Hydra, Hashcat
Attacks

Wireless
Aircrack-ng, Wifite, Kismet
Attacks

Web App
Burp Suite, OWASP ZAP, Nikto, DirBuster
Testing

Reporting Dradis, Faraday, Serpico

41
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

Top 5 Must-Know Tools for Beginners:

Nmap – Scanning and reconnaissance

Burp Suite – Web application security testing

Metasploit – All-purpose exploitation framework

SQLMap – Powerful for database exploitation

John the Ripper – Password cracking

Optional Add-on:

Would you like a flowchart or diagram showing where each tool fits into the penetration
testing cycle? Or a printable one-page cheat sheet?

Let me know if you'd like it in PDF, PPT, or notebook format for your class or exam prep

PART B Review Questions

1. Compare and contrast traditional software testing with security testing. Explain with suitable
examples.

2. Explain the Secure Software Development Life Cycle (SSDLC) and describe how security is
integrated at each phase.

3. What is Risk-Based Security Testing? Discuss its methodology, benefits, and how it differs
from conventional testing.

4. Illustrate how Threat Modeling helps in prioritizing security testing. Explain any one threat
modeling technique in detail (e.g., STRIDE, DREAD, etc.).

5. Describe the steps involved in Penetration Testing. What are the key goals and
methodologies used during a penetration test?

42
Prepared by [Link] Chithra AP/CSE.
 CB3591/ESSS/UNIT 4/V-CSE/SRRCET

6. Explain the importance of Planning and Scoping in Penetration Testing. What components
should be included in a good penetration test plan?

7. Define Enumeration in penetration testing. Explain its techniques and how it contributes to
the overall security assessment process.

8. What is Remote Exploitation? Explain the process with examples of common remote
exploitation techniques used by attackers.

9. Discuss the various types of Web Application Exploits and Client-Side Attacks. How can
these be identified and prevented?

10. What is Post-Exploitation in penetration testing? Discuss the objectives, techniques, and
tools used after gaining initial access to a system.

[Link] can firewalls be bypassed by attackers? Discuss techniques used to avoid detection and
intrusion prevention systems.

12. List and explain at least five important tools used in penetration testing. Describe their
functionalities and use-cases.

43
Prepared by [Link] Chithra AP/CSE.