2022 8th International Conference on Advanced Computing and Communication Systems (ICACCS)

Web Application Penetration Testing & Patch

Development Using Kali Linux
Ritik Karayat 1 Manish Jadhav 3
Department of Information Technology, Department of Information Technology,
SIES GST , Nerul, Navi Mumbai, India SIES GST , Nerul, Navi Mumbai, India
karayat.ritik18@siesgst.ac.in jadhav.manish18@siesgst.ac.in
2022 8th International Conference on Advanced Computing and Communication Systems (ICACCS) | 978-1-6654-0816-5/22/$31.00 ©2022 IEEE | DOI: 10.1109/ICACCS54159.2022.9785232

Lakshmi Sudha Kondaka 2 Ashwath Nambiar 4

Department of Information Technology, Department of Information Technology,
SIES GST, Nerul , Navi Mumbai, India SIES GST, Nerul, Navi Mumbai, India
lakshmi.sudha@siesgst.ac.in ashwath.premarajan@siesgst.ac.in

Abstract— Nowadays, safety is a first-rate subject for all security professionals to mitigate these risks. It is an offensive
applications. There has been an exponential growth year by year approach of assessing the security posture of an application
in the number of businesses going digital since the few decades which is divided in 2 parts, Vulnerability Assessment
following the birth of the Internet. In these technologically incorporates the use of various automated and manual testing
advanced times, cyber security is a must mainly for internet
applications, so we have the notion of diving deeper into the
procedures to probe the target and detect the possible attack
Cyber security domain and are determined to make a complete vectors whereas Penetration Testing involves imitating an
project. We aim to develop a website portal for ease of attacker and exploiting the vulnerabilities detected
communication between us and the end user. Utilizing the power showcasing the impact and severity of the attacks on the
of python scripting and flask server to make independent target application.
automated tools for detection of SQLI , XSS & a Spider(Content
Discovery Tool). We have also integrated skipfish as a website
vulnerability scanner to our project using python and Kali
Linux. Since conducting a penetration test on another website
without permission is not legal, we thought of building a dummy
website prone to OS Command Injection in addition to the
above-mentioned attacks. A well-documented report will be
generated after the penetration test/ vulnerability scan. In case
the website is vulnerable, patching of the website will be done
with the user’s consent.

Keywords — XSS, SQLI, OS Command Injection, Kali Linux,

Skipfish, Python, Spider, Flask.

I. INTRODUCTION
Almost all of the software applications made today in this
technologically advanced world utilize the Internet to serve
their purpose. As more and more applications are Web-based
, more and more data is being exchanged over the net and the
attack surface becomes very vast. This leaves many loopholes
in the entire system and the sites become vulnerable to a
plethora of attacks.
Cybersecurity is the act of staying protected against Fig 1. VAPT Life Cycle
unauthorized and malicious use of data and the
countermeasures used to prevent it. We have built this project, for the detection of the most
Security is a must for all the software being developed to dangerous and up to date vulnerabilities, for that we are
protect the CIA Triad: Confidentiality, Integrity, Availability. referring to the OWASP top 10 attacks. OWASP stands for
It is an information security policy framework. A relevant Open Web Application Security Project. It is an organization
example of the CIA triad is an ATM where the PIN helps that regularly updates issues regarding Web Application
maintain the Confidentiality, the bank software ensures Data Security, highlighting the 10 most dangerous security risks
Integrity and Availability is upheld by ensuring authorized which contain Sql injection, Cross Site Scripting and
users can access the ATM at all times. Command injection. Fig 1. SQL injection, often known as
SQLI, is a typical attack vector in which malicious SQL code
This can be achieved by Vulnerability Assessment & is used to manipulate backend databases and get access to
Penetration Testing (VAPT) which is a practice adopted by data that was not intended to be displayed.

978-1-6654-0816-5/22/$31.00 ©2022 IEEE

1392
Authorized licensed use limited to: Institut Teknologi Sepuluh Nopember. Downloaded on September 11,2023 at 17:05:52 UTC from IEEE Xplore. Restrictions apply.
 2022 8th International Conference on Advanced Computing and Communication Systems (ICACCS)
Fig 2. SQL Injection
Fig 2. Cross-Site Scripting (XSS) assaults are injection
attacks in which malicious scripts are inserted into otherwise
trustworthy and innocent websites.
In this attack, a hacker will inject malicious script into a
trusted website, when the user will access the website, they
will unknowingly trigger the malicious script, Fig 3. which
gives the attacker access to their cookies and session tokens.
Fig 3. Cross Site Scripting
The paper is organized as follows: Section II presents the
literature review. Proposed system is presented in Section III.
Experimental results are presented in Section IV. Finally, the
conclusion is shown in Section V.
II. LITERATURE REVIEW
Babak D. Beheshti et al. [1] explained penetration testing
and the factors to be considered while performing penetration
testing. In another paper, William G.J Halfond et al. [2]
demonstrated how different SQLIAs can be introduced into
an application. Yugansh Khera et al. [3] illustrated the life
cycle of VAPTs and different types of vulnerabilities and also
highlighted the different OWASP top 10 attacks.
1393
Authorized licensed use limited to: Institut Teknologi Sepuluh Nopember. Downloaded on September 11,2023 at 17:05:52 UTC from IEEE Xplore. Restrictions apply.
Ankit Shrivastava et al. [4] discussed Cross-site scripting
and how it can be very dangerous and can be used to harm
users and applications present over the internet by delivering
or inserting malicious code into application databases.
B.M. Mehtre et al. [5] describes the four phases of
vulnerability assessment and penetration testing and also tells
us about the different open source tools available for
vulnerability assessment and penetration testing. Md. Maruf
Hassan et al. [6] analyses Broken Authentication and Session
Management and how these are listed as the most critical web
application vulnerabilities since 2007.
Sadeeq Jan et al. [7] elaborates about XML based attacks
like XML Billion Laughs and XML External Entities. Xin-
Yu Hou et al. [8] demonstrates about detection of XSS
vulnerabilities which has high detection efficiency. R.
Abirami et al.[9] sheds light on the use of python for
developing automated testing tools for detection of various
attacks which can be carried out by malicious attackers.
Cristoph Karg[10] decodes the implementation of python for
XSS detection using python. Vangala Rama et al [11]
deciphers the use of python to integrate the scripts used to
detect the attacks and the portal which the user will access.
Dr. Sandeep Malik [12] gives us a solution to stop
software vulnerabilities with the use of concepts such as
defensive coding, robust coding standards by following
security guidelines, staying away from unnecessary and
dangerous threats through internet browsers, and provides us
a solution to the cross site scripting problem. Kamsuriah
Ahmed et al. [13] proposed a foolproof comprehensive
method to overcome three issues in the SQL injection attack
like improper use of dynamic SQL, lack of input validation
process and inconsistent error handling which are observed
in SQL injections. M.Denis et al. [14] covers concepts,
attacks and different strategies pertaining to penetration
testing. . Maryam Mouzarani et al. [15] suggested ways for
the detection of injection attacks like command injections and
SQL injections. Hussein Alnabulsi et al. [16] presents a tool
named GMSA which prevents attacks like XSS, SQLI and
command injection attacks.
We propose a system which provides various services
like automated and manual testing tools to check their
websites integrity. We also provide services to patch the
clients website thus maintaining a high level of security.
III. PROPOSED SYSTEM
The proposed system provides a portal, where any user
can login and utilize the security testing services by entering
the url of their website in a specified field. Penetration testing
will be performed on their sites/endpoints, generate a detailed
and well documented report and also patch any vulnerabilities
present.
Functionality of the system: The proposed system
consists of three modules namely the Web Application
module, the automated vulnerability scanners and the
vulnerable web app.
 2022 8th International Conference on Advanced Computing and Communication Systems (ICACCS)
Fig 4. Flowchart
Module 1: Web Application Module: Fig 4. It is an
interface built for users to interact with the system, in which
the users will have to register their account and then login for
availing the services.
In the portal the users will have to enter their website’s
URL if they want automated testing, which will then scan
their website for different vulnerabilities such as XSS and
SQL injections.
For manual testing the user can fill their information in the
‘Contact Us’ section provided in the portal which will then
send a mail to our official email-id, then contact will be
initiated with the user, and the user will also receive an email
that notifies them that their request has been received.
For building Web Application in Front-End we have used
HTML5 (Hypertext Markup Language) for creating structure
and pages, CSS3 (Cascading Style Sheets) for designing the
application and JS (JavaScript) which gives pages interactive
component that engage a user and, in the Back end we have
used Flask.
The main aim of the system is to merge the most common
and dangerous vulnerabilities and attacks into a single web ● All the user has to put is the URL and the time of the scan
application/portal so that developers/laymen trying to secure
their web applications don’t have to browse through various
websites for figuring out a solution to all the vulnerabilities, and can view the results of the scan in an interactive webpage
since our manual and automated testing tools cover the most
popular attacks which are directly referenced from the
OWASP top 10 list.
Module 2:Vulnerability Scanners: The second module is
the Vulnerability Scanner which is further divided into 4 sub-
modules namely Spider, XSS Scanner, SQLI Scanner and
Skipfish(Report Generator).
⮚ Spider:
● Spidering: It is the act of discovering content or
functionality not linked from visible content which a
user can browse to.
Authorized licensed use limited to: Institut Teknologi Sepuluh Nopember. Downloaded on September 11,2023 at 17:05:52 UTC from IEEE Xplore. Restrictions apply.
For XSS and SQLI detection, only specific pages of the
●
website are vulnerable which use forms, that is why a
process known as content discovery has been used.
● Since only the vulnerable web pages are needed,the
website’s main URL is given to the spider which is
linked to the backend python script, which will in-turn
return that website’s internal and external links in the
form of a report. It is helpful in figuring out the basic
layout of the user’s web application & mapping the site.
● Internal links: These are multiple pages or subdomains
of the main website.
● External links: These are the hyperlinks that link the
main website’s domain to another website’s domain.
⮚ XSS Scanner:
● For XSS detection, the user has to simply input their
website’s URL into the input-field provided, which will
then trigger the backend python script. The script is
designed in such a way that whenever triggered, it will
try to inject payloads into the user’s website, if the
payload is accepted by the user’s website, then it can be
concluded that their website in vulnerable to XSS and
then an automated detailed report will be generated
containing the total number of forms present and the
solutions to mitigate XSS vulnerability. If in case the
payload is rejected, it can safely be assumed that their
website is not vulnerable to XSS.
⮚ Sqli Scanner:
● Similar to the XSS scanner, the user will have to input
their website’s URL into the input-field.
● After the input has been received, the python script will
be triggered which will simply quote the URL and check
if the URL itself is vulnerable and if it is, the same will
be reflected in the portal.
⮚ Skipfish Report Generator:
● Skipfish is one of the pre-installed modules in Kali
Linux which is a full-fledged Website Vulnerability
Scanner. It gives detailed reports of the target URL.
● This has been added to the project for the sole purpose
of providing an in-depth scan, since many users won't
be aware of this useful tool. It has been integrated into
the site to make it accessible.
● The subprocess module has been used in python to
invoke a shell and used the shlex library to quote the
inputted command so as to prohibit any malicious
activity.
in HH:MM:SS format. Once the scan is completed the user
will be able to download the .zip file of the entire directory
'index.html' found inside the directory after unzipping it.
Module 3: Vulnerable Web App:
VAPT cannot be performed on any random website that is
available to us on the Internet because it is against the law.
A website has been made which is intentionally vulnerable
to attacks like SQL Injection, Reflected & Stored XSS and
OS Command Injection.
This website was built using Flask. The website consists of
2 pages namely login and main page.
The manual testing is performed on a website as follows.
1394
 2022 8th International Conference on Advanced Computing and Communication Systems (ICACCS)
1] SQL Injection
The login page is vulnerable to SQL Injection since the
query running in the backend is flawed and concatenates
user input.
● c.execute("SELECT * FROM users WHERE
email='%s' AND password='%s'" % (email,
password))
● An attacker could easily bypass this authentication
by using xyz@gmail.com’-- . Now the query
becomes similar to this
● "SELECT * FROM users WHERE
email=’xyz@gmail.com’--’ AND
password='%s'"
● This leads to no checking of the password since
everything after the email has been commented.
2] Cross Site Scripting
After logging in, there are 3 input fields for various
operations like search, comment and ping.
● The search utility is prone to Reflected XSS and
this can be confirmed by using a simple payload
like <script>alert(‘XSS’)</script>.
● As soon as the submit button is clicked, this piece
of malicious javascript is executed and reflected
back to us in the immediate response.
3] Stored XSS
the impact and severity of this vulnerability, a
netcat listener has been set up and this payload can
be used
● 127.0.0.1 & bash -i >& /dev/tcp/10.0.2.15/4444
0>&1
● It returned a reverse shell instantly and now
anything can be done like viewing or modifying the
hidden server files which should never be accessed
by anyone.
This is the final module and serves as a testament to our skills
and commitment to the users.
Patched Site Remediations:
For the SQL Injection parameterized queries have been
used so that an attacker can not manipulate the query as they
wish. The code for the same can be seen below:-
c.execute("SELECT * FROM users WHERE email= ?
AND password= ?" ,(email, password))
For XSS protection the use of Content Security
Policy(CSPs) in the response header is a must. The code is
shown below:-
@app.after_request
def XSS_protection(response):
response.headers['Content-Security-Policy'] =
"default-src 'self'"
return response

The comment utility is prone to Stored XSS , in which Lastly for command injection which was possible due to
anything a user types gets stored in the database and shell=True in the python subprocess, Popen function
displayed on the website. running in the backend , the shell has been converted to
● Since there is no input sanitization an attacker can shell=False and used the shlex library in Python to securely
inject payloads containing malicious javascript break down the user input and quote it.
which will run every time a user visits that page. Now, no malicious command instead of ping will work.
To show the impact of this vulnerability, this All these techniques must be incorporated in the
payload has been used development of any website or the impact can be severe.
● <a href="#"
onclick="document.location='http://0.0.0.0:1234 IV. EXPERIMENTAL RESULTS
/?c='+document.cookie;">Click To Win</a>
Demonstration of Spider, XSS Scanner and its reports are
● Thus a malicious link has been posted ‘Click To
provided in figure 5 ,6 and 7.
Win’, which when clicked will give the cookie of
the user who clicked on the local python server.
Cookie stealing is very severe as the attacker can
then impersonate the user and do whatever they
want. It is like Digital Identity Theft.
4] Command Injection
The last input field allows pinging any host since it runs
a shell in the backend and passes any host specified in the
input to the shell and returns the output immediately. This
can be exploited by using a number of special characters in
the linux command line such as & - to run commands
simultaneously ,&& - to run malicious commands after
successful completion of the legitimate command , ; - to
enter a new malicious command.
● & has been used in order to show the Proof of
Concept. So the payload is 127.0.0.1 & cat
/etc/passwd.
● This will ping the localhost and in the background
output the contents of the passwd file which
contains all the user details in a linux OS. To show Fig 5. Content Discovery And Report

1395
Authorized licensed use limited to: Institut Teknologi Sepuluh Nopember. Downloaded on September 11,2023 at 17:05:52 UTC from IEEE Xplore. Restrictions apply.
 2022 8th International Conference on Advanced Computing and Communication Systems (ICACCS)

Fig 9. PoC (Reflected XSS)

Fig 6. XSS Scanner and Report

Fig 10. PoC (Stored XSS)

Fig 7 . Skipfish tool and Report

Demonstration of SQLI , Reflected & Stored XSS & OS

Command Injection on the dummy vulnerable website are
provided in figure 8,9,10 and 11.

Figure 11. PoC (OS Command Injection)

V. CONCLUSION
A full-fledged, open-source web application has been
developed which will make the life of web developers easier
by making their applications safe and secure without the
hassle of approaching multiple services and considering
various attack vectors as we have combined the major
vulnerabilities and provided remedies for the same using both
manual and automated techniques.
ACKNOWLEDGEMENT
The authors would like to thank their family members and the
SIES Management for their support towards the development
Fig 8. PoC (SQL Injection) of the project.

1396
Authorized licensed use limited to: Institut Teknologi Sepuluh Nopember. Downloaded on September 11,2023 at 17:05:52 UTC from IEEE Xplore. Restrictions apply.
 2022 8th International Conference on Advanced Computing and Communication Systems (ICACCS)
REFERENCES

[1] M. Denis, C. Zena and T. Hayajneh,“Penetration testing:

Concepts, attack methods, and defense strategies”2016 IEEE
Long Island Systems, Applications and Technology Conference.
[2] Hessa Mohammed Zaher Al Shebli , Babak D. Behesht, “A Study
on Penetration Testing Process and Tools” 2018 IEEE
International Conference on System, Computation, Automation
and Networking (ICSCA).
[3] Yugansh Khera, Deepansh Kumar, Sujay, Nidhi Garg, “Analysis
and Impact of Vulnerability Assessment and Penetration
Testing”, 2017 IEEE 6th Global Conference on Consumer
Electronics (GCCE).
[4] B. M. Mehtre, "An overview of vulnerability assessment and
penetration testing technique" 2018 IEEE 10th International
Conference on HNICEM.
[5] R. Abirami, D. C. J. W. Wise, R. Jeeva and S. Sanjay,“Detecting
Security Vulnerabilities in Websites using Python”2020
International Conference on Electronics and Sustainable
Communication Systems (ICESC).
[6] Vangala Rama Vyshnavi, Amit Malik,“Efficient Way of Web
Development Using Python and Flask”2019 International Journal
of Recent Research Aspects ISSN.
[7] Maryam Mouzarani, Babak Sadeghiyan, Mohammad
Zolfaghari,“Detecting Injection vulnerabilities in Executable
Codes with Concolic Execution” 2017 8th IEEE International
Conference on Software Engineering and Service Science
(ICSESS)
[8] Md. Maruf Hassan, Shamima Sultana Nipa, Marjan Akter , Rafita
Haque, Fabiha Nawar Deepa, Mostafijur Rahman, Md. Asif
Siddiqui, Md. Hasan Sharif, “Broken Authentication and Session
Management Vulnerability: A Case Study Of Web Application.”
International Journal of Scientific & Engineering Research,
Volume 9, Issue 2, February-2018.
[9] William G.J. Halfond, Jeremy Viegas, and Alessandro Orso, “A
Classification of SQL Injection Attacks and Countermeasures”,
2017 IEEE International Conference on Communication,
Networks and Satellite (Comnetsat).
[10] R. Abirami, D. C. J. W. Wise, R. Jeeva and S. Sanjay,“Detecting
Security Vulnerabilities in Websites using Python”2020
International Conference on Electronics and Sustainable
Communication Systems (ICESC).
[11] Xin-Yu Hou, Xiao-Lin Zhao and Mei-Jing Wu, “A Dynamic
Detection Technique for XSS Vulnerabilities”. 2017
International Conference on Identification, Information and
Knowledge in the Internet of Things.
[12] Ankit Shrivastava, Santosh Choudhary, Ashish Kumar, “XSS
Vulnerability Assessment and Prevention in Web Application”
2017 5th International Conference on Cyber and IT Service
Management (CITSM).
[13] Mohan, Vamsi,“Secure Web Applications Against Cross Site
Scripting (XSS): A Review”2018 International Journal of
Scientific Research.
[14] H. Alnabulsi, R. Islam and M. Talukder, "GMSA: Gathering
Multiple Signatures Approach to Defend Against Code Injection
Attacks" IEEE.
[15] Zhendong Su, Gary Wassermann, "The Essence of Command
Injection Attacks in Web Applications" University of California,
Davis.
[16] Stasinopoulos, Anastasios & Ntantogian, Christoforos &
Xenakis, Christos. (2015). Commix: Detecting and exploiting
command injection flaws.

1397
Authorized licensed use limited to: Institut Teknologi Sepuluh Nopember. Downloaded on September 11,2023 at 17:05:52 UTC from IEEE Xplore. Restrictions apply.