Programs

Program 1: Exploring Web Application Functionality – XAMPP

Steps

Starts the web server and database required to host DVWA locally.

Places DVWA inside the web root so Apache can serve it.

Accesses the DVWA application from the browser.

Initializes and configures the DVWA database.

Uses default credentials to access DVWA.

Understands application structure and vulnerability categories.

Program 2: Authentication Bypass using SQL Injection

Steps

Disables input validation so SQL injection works.

Loads the vulnerable input field.

Identifies valid user IDs.

Forces SQL condition to always be true, bypassing login.

Program 3: SQL Injection using UNION Operator

Steps

Ensures the field is injectable.

Extracts usernames and hashed passwords.

Identifies database version.

Reveals database server hostname.

Shows database user context.

Program 4: SQL Injection using SQLMap

Steps

Downloads SQLMap tool.

Tests the URL for SQL injection.

Automatically extracts database data.

Program 5: Cross Site Scripting (XSS)

Steps

Loads vulnerable XSS input.

Injects JavaScript into page output.

Confirms successful XSS attack.

Program 6: Check Open Ports using Nmap

Steps

Performs basic port scan.

Checks HTTP service.

Checks if host is alive.

Attempts OS detection.

Detects service versions.

Program 7: Information Gathering

Steps

Resolves domain to IP address.

Finds mail servers.

Retrieves host info.

Program 8: Find IP Address and Class

Steps

Extracts IP of website.

Determines Class A, B, or C.

Program 9: Google Dork Operators

Steps

Searches inside a domain.

Finds exposed documents.

Finds login pages.

Finds directory listings.

Program 10: HTTP Request Inspection

Steps

Views HTTP traffic.

Captures requests.

Analyzes cookies, tokens, status codes.

Program 11: TCPDump

Steps

Starts packet capture.

Captures traffic on interface.

Program 12: Metasploit Framework

Steps

Launches Metasploit.

Finds vulnerabilities.

Sets target system.

Runs attack.

Program 13: Web Spidering using OWASP ZAP

Steps

Starts tool.

Specifies target site.

Discovers pages and links.

Program 14: Bandit Password Gathering

Steps

Connects to Bandit.

Finds password.

Finds hidden files.

Program 15: Burp Suite

Steps

Burp Suite is a web application security testing tool that acts as an intercepting proxy between the browser and the web application.

This configuration allows all browser traffic to pass through Burp Suite for inspection and modification.

The built-in Burp browser is preconfigured to route traffic through the proxy. Older versions require FoxyProxy to manually redirect browser traffic.

<Screenshot>

Intercept allows Burp to pause requests before they reach the server. HTTP History shows all captured requests and responses exchanged with the application.

<Screenshot>

Spidering

The Site Map displays all discovered pages, endpoints, and parameters of the target application.

Hidden or unlinked files may expose sensitive endpoints or administrative interfaces.

<Screenshot>

Intruding

Intruder is used to automate attacks such as fuzzing, brute-force, and payload injection.

<Screenshot>

Payload positions define where Burp will inject test values into the request.

<Screenshot>

Attack on a Login Page

Verbose parameters may reveal sensitive debugging information or application logic.

Begins automated payload injection against the selected request.

<Screenshot>

Status codes indicate how the server responded to each payload:
• 1xx – Informational
• 2xx – Success
• 3xx – Redirection
• 4xx – Client Errors
• 5xx – Server Errors

A 200 OK response may indicate a successful payload execution or valid authentication.

<Screenshot>

Detailed analysis helps identify vulnerabilities such as authentication bypass, parameter manipulation, and information disclosure.

Source: AWS_RECORD_FINAL.pdf – Program 15