0% found this document useful (0 votes)

28 views27 pages

Secure Software Engineering - Lab Manual

The document is a lab manual for the course 'Secure Software Engineering' at GITAM University, detailing various experiments related to secure coding practices. It includes tasks such as testing for vulnerabilities like SQL Injection, Cross-Site Scripting, and Command Injection, along with secure code testing examples in Python and Java. The manual serves as a guide for students to learn and implement secure software engineering techniques.

Uploaded by

Vasanthi Muniasamy

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

28 views27 pages

Secure Software Engineering - Lab Manual

Uploaded by

Vasanthi Muniasamy

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 27

lOMoARcPSD|16913580

19ECS448P Secure Software Engineering - Lab Manual

Secure Software Engineering (Gandhi Institute of Technology and Management

(Deemed to be University))

Studocu is not sponsored or endorsed by any college or university

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)
lOMoARcPSD|16913580

GITAM UNIVERSITY
(DEEMED TO BE UNIVERSITY) GITAM GITAM School of Technology

Department of Computer Science and Engineering

19ECS448P: SECURE SOFTWARE ENGINEERING

LAB MANUAL

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

List of experiments
P.
S.No Experiments No

INTERACTIVE TASKS FROM CODE BASHING

1. 1Android Application - Forceful Browsing

2. iOS Application - Forceful Browsing

3. Secure Cookie Flag

4. SQL Injection

5. Command Injection

6. No Server-Side Validation

7. Stack Overflows

8. Broken Object Level Authorization

9. Broken Function Level Authorization

10. Cross-Site Scripting

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Secure Code Testing in SNYK (Python)

1. 1Evaluating user-supplied input

2. Authentication check using SQL

3. F.read function Check

4. Evaluation of Post Function

5. Evaluation of Read Function

6. Fetch Data Function

7. Search Function

8. Arguments

Secure Code Testing in SNYK (Java)

9. File Operations

10. String Operations

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 1 Android Application - Forceful Browsing

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 2 iOS Application - Forceful Browsing

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 3 Secure Cookie Flag

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 4 SQL Injection

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 5 Command Injection

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 6 No Server-Side Validation

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 7 Stack Overflows

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 8 Broken Object Level Authorization

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 9 Broken Function Level Authorization

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 10 Cross-Site Scripting

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Secure Code Testing in SNYK (Python)

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 1 Evaluating user-supplied input

1- from flask import Flask, request

app = Flask(__name__)

@app.route('/run_command', methods=['POST'])
def run_command():
cmd = request.form.get('cmd')
result = eval(cmd) # VULNERABILITY: Evaluating user-supplied input as code is a dangerous practice
return result

if __name__ == '__main__':
app.run()

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 2 Authentication check using SQL

2-import mysql.connector
def get_user_info(username):
conn = mysql.connector.connect(user='user', password='password', host='host',
database='database')
cursor = conn.cursor()
query = "SELECT * FROM users WHERE username='" + username + "'"
cursor.execute(query)
results = cursor.fetchall()
cursor.close()
conn.close()
return results
username = input("Enter your username: ")
print(get_user_info(username))

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 3 F.read function Check

3-def process_input(user_input):
with open(user_input, "r") as f:
content = f.read()
print(content)
user_input = input("Enter a file name: ")
process_input(user_input)

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 4 Evaluation of Post Function

4- from flask import Flask, request app = Flask(name)

@app.route('/transfer', methods=['POST']) def transfer():

amount = request.form.get('amount')
recipient = request.form.get('recipient')
# Transfer the funds...
return 'Funds transferred successfully!'

if __name__ == '__main__':
app.run()

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 5 Evaluation of Read Function

5-def read_credit_card_number():
card_number = input("Enter your credit card number: ")
# do something with card_number return card_number

def process_payment(card_number):
# process payment with card_number pass
card_number = read_credit_card_number()
process_payment(card_number)

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 6 Fetch Data Function

6-import requests
def fetch_data_from_url(url):
response = requests.get(url)
data = response.text
exec(data)
url = input("Enter a URL: ")
fetch_data_from_url(url)

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 7 Search Function

7- from flask import Flask, request

app = Flask(__name__)
@app.route('/search')
def search():
query = request.args.get('q')
return f'Search results for: {query}'
if __name__ == '__main__':
app.run()

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 8 Arguments

import os
import urllib
from flask import Flask, request
from django.db import connection, models
from django.db.models.expressions import RawSQL

app = Flask(__name__)

@app.route("/code-execution")
def code_execution():
code1 = request.args.get("code1")
exec("setname('%s')" % code1)
return a

@app.route("/open-redirect")
def open_redirect():
redirect_loc = request.args.get('redirect')
return redirect(redirect_loc)
@app.route("/sqli/<username>")
def show_user(username):
with connection.cursor() as cursor:
cursor.execute("SELECT * FROM users WHERE username = '%s'" % username)

if __name__ == '__main__':
app.run(host='0.0.0.0', port=9000)

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Secure Code Testing in SNYK (Java)

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 9 File Operations

9-import java.io.*;
public class UnvalidatedInput {
public static void main(String[] args) {
String filename = args[0];
File file = new File(filename);
try (FileReader reader = new FileReader(file)) {
char[] buffer = new char[(int) file.length()];
reader.read(buffer);
System.out.println(buffer);

} catch (IOException e) { System.out.println("Error reading file");

}
}
}

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

lOMoARcPSD|16913580

Ex. 10 String Operations

10- import java.sql.*;

import java.util.Scanner;
public class SqlInjection {

public static void main(String[] args) { Scanner scanner = new

Scanner(System.in); System.out.print("Enter username: "); String
username = scanner.nextLine(); System.out.print("Enter password:
"); String password = scanner.nextLine();
try (Connection connection =
DriverManager.getConnection("jdbc:postgresql://localhost/mydb",
"user", "pass")) {

String query = "SELECT * FROM users WHERE username = '" + username + "' AND
password = '" + password + "'";

Statement statement = connection.createStatement(); ResultSet resultSet =

statement.executeQuery(query);
if (resultSet.next()) {
System.out.println("Login successful");
} else {
System.out.println("Login failed");
}
} catch (SQLException e) {
System.out.println("Error connecting to database");
}
}
}

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

19ECS448P Secure Software Engineering - Lab Manual
No ratings yet
19ECS448P Secure Software Engineering - Lab Manual
26 pages
19ecs448p Secure Software Engineering Lab Manual
No ratings yet
19ecs448p Secure Software Engineering Lab Manual
27 pages
Secure Software Engineering Lab Manual
No ratings yet
Secure Software Engineering Lab Manual
27 pages
Project File Class
No ratings yet
Project File Class
50 pages
Server-Side Scripting
No ratings yet
Server-Side Scripting
13 pages
Route Map Python Master V2.0 (NIGHT)
No ratings yet
Route Map Python Master V2.0 (NIGHT)
29 pages
Pythonfullstack
No ratings yet
Pythonfullstack
12 pages
Python For IGCSE Computer Science Workbook
No ratings yet
Python For IGCSE Computer Science Workbook
12 pages
Practical File
No ratings yet
Practical File
38 pages
Python TOC
No ratings yet
Python TOC
5 pages
Cs-Project-Report Final Removed 27 28
No ratings yet
Cs-Project-Report Final Removed 27 28
27 pages
Cs Project Report Modified
No ratings yet
Cs Project Report Modified
58 pages
Python FullStack Course Content
No ratings yet
Python FullStack Course Content
7 pages
Domain SQLi Finder - Py
No ratings yet
Domain SQLi Finder - Py
13 pages
Lab 3
No ratings yet
Lab 3
7 pages
Python
No ratings yet
Python
5 pages
Gunnells W. - Rapid Python Programming GUI Creation, Django Web Server, Game Programming, and Stock Analysis - 2017
No ratings yet
Gunnells W. - Rapid Python Programming GUI Creation, Django Web Server, Game Programming, and Stock Analysis - 2017
189 pages
II Pu New Syl - 25-26
No ratings yet
II Pu New Syl - 25-26
9 pages
Full Stack Development Syllabus Update
No ratings yet
Full Stack Development Syllabus Update
11 pages
Cable
No ratings yet
Cable
17 pages
Python Core and Advanced Syllabus
100% (4)
Python Core and Advanced Syllabus
4 pages
Computer Science: I II III
No ratings yet
Computer Science: I II III
5 pages
CB3591 ESSS Manual
No ratings yet
CB3591 ESSS Manual
30 pages
Computer Project
No ratings yet
Computer Project
23 pages
740 OK INTE 30023 - Integrative Programming and Technologies
No ratings yet
740 OK INTE 30023 - Integrative Programming and Technologies
106 pages
Os Lab 1..
No ratings yet
Os Lab 1..
12 pages
CLASS-12 CS-PROJECT (For Ishaan)
No ratings yet
CLASS-12 CS-PROJECT (For Ishaan)
28 pages
Internet Programming Lab Record
No ratings yet
Internet Programming Lab Record
52 pages
Infosys
No ratings yet
Infosys
27 pages
Maximum Marks: 70 Time Allowed: 3 HRS.: Part - A SECTION I - Attempt All 15 Questions
No ratings yet
Maximum Marks: 70 Time Allowed: 3 HRS.: Part - A SECTION I - Attempt All 15 Questions
7 pages
Cable Connection System Code
No ratings yet
Cable Connection System Code
14 pages
Cable Connecrtions
No ratings yet
Cable Connecrtions
15 pages
Python Programming Language Individual Assignment Malaysian Bank Loan Management System
No ratings yet
Python Programming Language Individual Assignment Malaysian Bank Loan Management System
51 pages
DeepSeek - Python Tutorial
No ratings yet
DeepSeek - Python Tutorial
8 pages
Lecture - 0 - INT213
No ratings yet
Lecture - 0 - INT213
39 pages
Web Attacks From Zero To Hero
No ratings yet
Web Attacks From Zero To Hero
66 pages
Python Maker Plan GE-V0
No ratings yet
Python Maker Plan GE-V0
3 pages
Cs Practical
No ratings yet
Cs Practical
37 pages
Programming For Security
No ratings yet
Programming For Security
25 pages
12 Syllabus 2023 Computer Science
No ratings yet
12 Syllabus 2023 Computer Science
4 pages
Class 12 CS Project
100% (6)
Class 12 CS Project
27 pages
Unit 2
No ratings yet
Unit 2
29 pages
Python Random Joke
No ratings yet
Python Random Joke
22 pages
Ip Project
No ratings yet
Ip Project
21 pages
Python Outlines 479 1
No ratings yet
Python Outlines 479 1
5 pages
Loops in Python
No ratings yet
Loops in Python
9 pages
Python & Full Stack Mastery
100% (1)
Python & Full Stack Mastery
7 pages
Python
No ratings yet
Python
3 pages
CH 8 - Server Side Programming 3
No ratings yet
CH 8 - Server Side Programming 3
21 pages
Navttc Course Outline Python Django Angular React
No ratings yet
Navttc Course Outline Python Django Angular React
8 pages
Python Password Manager Project
67% (3)
Python Password Manager Project
34 pages
Class 12 Informatics Practices Project
No ratings yet
Class 12 Informatics Practices Project
55 pages
Python For Data Analysis Assignment 1
No ratings yet
Python For Data Analysis Assignment 1
1 page
Gr22 - Cse (Aiml) - SL Lab Manual
No ratings yet
Gr22 - Cse (Aiml) - SL Lab Manual
47 pages
Yogesh Ratan Singh Computer Project
No ratings yet
Yogesh Ratan Singh Computer Project
80 pages
Software Security
No ratings yet
Software Security
39 pages
(Template) Software Security - Milestone 2
No ratings yet
(Template) Software Security - Milestone 2
4 pages
Macse502 Programming-For-data-science Eth 1.0 83 Macse502
No ratings yet
Macse502 Programming-For-data-science Eth 1.0 83 Macse502
4 pages
Figma Tutorial
No ratings yet
Figma Tutorial
121 pages
Lab Pong
No ratings yet
Lab Pong
25 pages
It - Practical Assignment
No ratings yet
It - Practical Assignment
4 pages
ADS - Practical Material 2024
No ratings yet
ADS - Practical Material 2024
12 pages
ADB - Practical Material 2024
No ratings yet
ADB - Practical Material 2024
12 pages
Chapter 1, 2 - OOP
No ratings yet
Chapter 1, 2 - OOP
9 pages
Ecommerce Course Specification Eng 2018
No ratings yet
Ecommerce Course Specification Eng 2018
7 pages
Cognizant Cluster 1 Technical Coding Assessment
100% (2)
Cognizant Cluster 1 Technical Coding Assessment
29 pages
03 Laboratory Exercise 1
No ratings yet
03 Laboratory Exercise 1
1 page
Isod Relnotes PDF
No ratings yet
Isod Relnotes PDF
30 pages
GOM Media Player
No ratings yet
GOM Media Player
1 page
Booting Problems in Solaris
No ratings yet
Booting Problems in Solaris
3 pages
Internship Presentation
78% (9)
Internship Presentation
11 pages
IT Practical File Class 10
100% (1)
IT Practical File Class 10
16 pages
How To Fix An Damaged Usb On Ubuntu
No ratings yet
How To Fix An Damaged Usb On Ubuntu
7 pages
HP Virtual Server Environment (VSE) : Steve Shipman Technical Client Consultant Hewlett Packard
No ratings yet
HP Virtual Server Environment (VSE) : Steve Shipman Technical Client Consultant Hewlett Packard
28 pages
Office 365 - Everything You Wanted To Know - Onwards
100% (1)
Office 365 - Everything You Wanted To Know - Onwards
120 pages
Module 8 - AE 1 Stand Alone Operating Systems
No ratings yet
Module 8 - AE 1 Stand Alone Operating Systems
10 pages
Linux MCQ Questions and Answers: Take Linux MCQ Online Test & Quiz To Test Your Knowledge
No ratings yet
Linux MCQ Questions and Answers: Take Linux MCQ Online Test & Quiz To Test Your Knowledge
6 pages
Digital Drawing Tools Using Java: A Project Report
No ratings yet
Digital Drawing Tools Using Java: A Project Report
27 pages
Titc Notes
No ratings yet
Titc Notes
47 pages
Abst Vs Intf
No ratings yet
Abst Vs Intf
4 pages
Profinet
No ratings yet
Profinet
8 pages
Elasticsearch Quick Start: An Introduction To Elasticsearch in Tutorial Form
No ratings yet
Elasticsearch Quick Start: An Introduction To Elasticsearch in Tutorial Form
21 pages
BPC 10.0 - Q & A Transcript - Insider Learning Network
No ratings yet
BPC 10.0 - Q & A Transcript - Insider Learning Network
7 pages
C Programming I/O Functions Guide
No ratings yet
C Programming I/O Functions Guide
4 pages
2C Redes
No ratings yet
2C Redes
34 pages
Office 365 Licensing
No ratings yet
Office 365 Licensing
1 page
Freelancing Platform Synopsis
No ratings yet
Freelancing Platform Synopsis
9 pages
Don't Leak My WiFi Key
No ratings yet
Don't Leak My WiFi Key
3 pages
Angular Signals - Complete Guide
No ratings yet
Angular Signals - Complete Guide
42 pages
12d - AP-L1-SL - Directory Structure & UNIX Commands
No ratings yet
12d - AP-L1-SL - Directory Structure & UNIX Commands
79 pages
IMK - Slide PPT Minggu 3
No ratings yet
IMK - Slide PPT Minggu 3
61 pages
DSLS Installation Guide
No ratings yet
DSLS Installation Guide
176 pages
Evaluate Funtion Obiee11g
No ratings yet
Evaluate Funtion Obiee11g
8 pages
Basavaraj-Azure Developer
No ratings yet
Basavaraj-Azure Developer
6 pages
Salesforce Integration Interview Questions
No ratings yet
Salesforce Integration Interview Questions
4 pages

Secure Software Engineering - Lab Manual

Uploaded by

Secure Software Engineering - Lab Manual

Uploaded by

lOMoARcPSD|16913580

19ECS448P Secure Software Engineering - Lab Manual

Secure Software Engineering (Gandhi Institute of Technology and Management

Studocu is not sponsored or endorsed by any college or university

Department of Computer Science and Engineering

19ECS448P: SECURE SOFTWARE ENGINEERING

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

INTERACTIVE TASKS FROM CODE BASHING

1. 1Android Application - Forceful Browsing

2. iOS Application - Forceful Browsing

3. Secure Cookie Flag

8. Broken Object Level Authorization

9. Broken Function Level Authorization

10. Cross-Site Scripting

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Secure Code Testing in SNYK (Python)

1. 1Evaluating user-supplied input

2. Authentication check using SQL

3. F.read function Check

4. Evaluation of Post Function

5. Evaluation of Read Function

6. Fetch Data Function

Secure Code Testing in SNYK (Java)

10. String Operations

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 1 Android Application - Forceful Browsing

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 2 iOS Application - Forceful Browsing

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 3 Secure Cookie Flag

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 4 SQL Injection

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 5 Command Injection

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 6 No Server-Side Validation

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 7 Stack Overflows

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 8 Broken Object Level Authorization

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 9 Broken Function Level Authorization

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 10 Cross-Site Scripting

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Secure Code Testing in SNYK (Python)

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 1 Evaluating user-supplied input

1- from flask import Flask, request

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 2 Authentication check using SQL

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 3 F.read function Check

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 4 Evaluation of Post Function

4- from flask import Flask, request app = Flask(__name__)

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 5 Evaluation of Read Function

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 6 Fetch Data Function

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 7 Search Function

7- from flask import Flask, request

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Secure Code Testing in SNYK (Java)

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 9 File Operations

} catch (IOException e) { System.out.println("Error reading file");

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

Ex. 10 String Operations

10- import java.sql.*;

public static void main(String[] args) { Scanner scanner = new

Statement statement = connection.createStatement(); ResultSet resultSet =

Downloaded by Vasanthi Muniasamy (wmsami@kku.edu.sa)

4- from flask import Flask, request app = Flask(name)