Dr D Y Patil College of Engineering and Innovation, Varale, Talegaon

Program Name : Artificial Intelligence & Data Science

Course Name : Mini-Project (cyber security)
Academic Year : 2023-2024
Semester : Sixth

A MINI PROJECT ON
“Develop a website to show the risks of
insecure HTTP versus secure HTTPS.”

Submitted by the

Sr. No Name of Student Roll No

1 Akshay Gadade 23146

Project Guide:
Dr. Latika Desai
 Dr. D Y Patil College of Engineering and
Innovation, Varale, Talegaon

CERTIFICATE

This is to clarify that Akshay Gadade for 6th Semester of Engineering in Artificial Intelligence
and Data Science of Institute Dr. D. Y. Patil College of Engineering and Innovation(code:4123) has
completed the Mini Project satisfactory in the subject Mini-project (CS) for the Academic Year
2023-2024 as prescribed in the curriculum.

Place: Pune Roll No: 23146

Date: Seat No: T191232015

Dr.Latika Desai Dr. Latika Desai Dr. Suresh Mali

Co-ordinator HOD, AI-DS Principal
 INDEX

Sr.No Table of Content Page No:

1. Chapter 1: Introduction and background of the industry.....................................1

1.1 Introduction.............................................................................................1
1.2 Components.............................................................................................1
1.3 Process.....................................................................................................1
2. Chapter 2: Literature Survey for problem identification.......................................2
2.1 Literature Survey.....................................................................................2
3. Chapter 3: Problem Statement.................................................................................3
4. Chapter 4: Scope of the project................................................................................4
4.1 Scope of the Examiner less Oral Examination System.............................4-5
5. Chapter 5: Methodology............................................................................................6
5.1 Use Case Diagram....................................................................................6
5.2 Technologies.............................................................................................7
5.3 Software Requirements............................................................................8
6. Chapter 6: Details of Designs, working and processes...........................................9
6.1 System Architecture..................................................................................9-10
6.2 Algorithm..................................................................................................11
6.3 Implementation and Testing......................................................................12-13
7. Chapter 7: Result and Advantages...........................................................................14
7.1 Result........................................................................................................14
7.2 Advantages................................................................................................15
7.3 Disadvantages...........................................................................................15
8. Chapter 8: Conclusion and Future Scope...............................................................16
8.1 Conclusion..................................................................................................16
8.2 Future Scope..............................................................................................16
9. Reference......................................................................................................................17
ACKNOWLEDGEMENT

I would like to express my sincere thanks towards all staff members offers sparing their
valuable time especially while clearing my vague concepts in fields of their expertise.
I am thankful to Dr. Suresh N Mali, Principle, DYPCOEI and Dr. Latika R. Desai (HOD)
Artificial Intelligence and Data Science, and all faculty member for their encouragement.

CHAPTER 1
INTRODUCTION

Aim: This task is to demonstrate insecure and secured website. Develop a web site and
demonstrate how the contents of the site can be changed by the attackers if it is http based and
not secured. You can also add payment gateway and demonstrate how money transactions can
be hacked by the hackers. Then support your website having https with SSL and demonstrate
how secured website is.
Introduction to SSL/TLS

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are
technologies which allow web browsers and web servers to communicate over a secured
connection. This means that the data being sent is encrypted by one side, transmitted, then
decrypted by the other side before processing. This is a two-way process, meaning that both
the server AND the browser encrypt all traffic before sending out data.

Another important aspect of the SSL/TLS protocol is Authentication. This means that during
your initial attempt to communicate with a web server over a secure connection, that server
will present your web browser with a set of credentials, in the form of a "Certificate", as proof
the site is who and what it claims to be. In certain cases, the server may also request a
Certificate from your web browser, asking for proof that you are who you claim to be. This is
known as "Client Authentication,"although in practice this is used more for business-to-
business (B2B) transactions than with individual users. Most SSL-enabled web servers do not
request Client Authentication.

Following diagram depicts dynamic web server system three tiers. In case of two tier, only
browser and web server will be available client server model.
 Figure 1: Ref: http://refreshmymind.com/wp-content

Above diagram shows three components of web server system. Presentation layer on left side
i.e. browser, middle layer that is tomcat server and data layer is implemented with mysql.

Figure 2: Client server protocol stack with SSL functionality

6
Department of AI&DS, DYPCOEI Varale,
Talegaon
CHAPTER 2
PROBLEM STATEMENT

"Develop a website to show the risks of insecure HTTP versus secure HTTPS. The insecure site
should be vulnerable to content tampering and payment hacking. Then, demonstrate how HTTPS
with SSL prevents these attacks and ensures a secure browsing experience."

7
Department of AI&DS, DYPCOEI Varale,
Talegaon
CHPATER 3
LITERATURE SURVEY

It has been observed for a quite long time that Web Security has been one of hot research areas,
from point of view of be it either analysis or detection and later developing mitigation plans. Web
security threats have undergone much sophistication compared to their initial introduction and they
are becoming more & more evolved every day. The evolution might be in terms of new ways of
attack or bringing in resistance to using simulated OS or VM environments.[1]

The main issue in web security research is in enabling a user a safe and trusted platform for
communication with the web application. But some people continue to do business with insecure site.
Some organizations or companies don’t want to reveal the information about their own security
holes. So, it’s very hard task to get the reliable information about the state of web security today.[4]

The data combines images, texts, audio and videos, which are communicated worldwide through
the Internet. This review paper gives an analysis based on the concept of cryptography and
steganography. It also presents a comparative approach using several encryption algorithms with
several factors such as block size, key size, encryption speed, memory usage, and security level.[2]

Third-party tracking can occur when web analytics services, such as Google Analytics, are utilized
to measure visitation to websites. These services provide information about website use and user
behavior, which can help libraries improve their online services. However, the analytics services
operate sophisticated mechanisms through extensive networks to track users and their behavior
across sites, acquiring user demographics and behavioral patterns.[3]

8
Department of AI&DS, DYPCOEI Varale,
Talegaon
CHAPTER 4
SCOPE OF THE PROJECT

1. Website Development:
 Develop a basic website with common pages like Home, About Us, Products/Services,
Contact Us.
 Create a payment gateway integration for online transactions.

2. Insecure Website
 Host the website on a server without HTTPS (HTTP).
 Demonstrate how an attacker can intercept and manipulate data transmitted over HTTP,
such as altering the website's content.
 Show how payment transactions can be intercepted and manipulated by attackers.

3. Secure Website (HTTPS with SSL):

 Secure the website with HTTPS using SSL/TLS certificates.
 Demonstrate the encrypted communication between the user's browser and the server,
ensuring data integrity and confidentiality.
 Show how HTTPS prevents attackers from intercepting or tampering with data, including
payment transactions.

4. Comparison and Conclusion:

 Provide a comparison between the insecure and secure versions of the website,
highlighting the vulnerabilities present in the former and the security measures
implemented in the latter.
 Conclude with the importance of implementing HTTPS and SSL/TLS encryption for
securing websites, especially those handling sensitive data like payment information.

9
Department of AI&DS, DYPCOEI Varale,
Talegaon
 5. Documentation:
 Document the entire process of developing both versions of the website, including
configurations for HTTP and HTTPS, payment gateway integration, and security
measures.
 Include screenshots, code snippets, and explanations to support your demonstration.

6. Presentation:
 Prepare a presentation to deliver your findings and demonstrations effectively.
 Use slides, live demonstrations, and interactive elements to engage the audience and
convey the significance of securing websites with HTTPS.

7. Testing:
 Test both versions of the website thoroughly to ensure functionality and security.
 Conduct penetration testing and vulnerability assessments to identify any potential
weaknesses in the insecure version and verify the effectiveness of HTTPS in the secure
version.

10
Department of AI&DS, DYPCOEI Varale,
Talegaon
CHAPTER 5
METHODOLOGY

1. Planning and Setup:

 Define Goals: Clearly outline the objectives of the project, such as demonstrating the risks
associated with insecure websites, the importance of HTTPS, and the effectiveness of SSL
encryption.
 Choose Technologies: Select appropriate web development technologies for creating both the
insecure and secure versions of the website. For example, you might use HTML, CSS, and
JavaScript for the frontend, and PHP, Python, or Node.js for the backend.
 Set Up Development Environment: Install necessary tools and set up a development
environment for creating and testing the websites.

2. Developing the Insecure Website:

 Design Website Structure: Create a simple website with different pages and content. Include
forms for user input, such as a contact form or login form.
 Implement HTTP Protocol: Ensure that the website is served over HTTP instead of HTTPS.
This makes it vulnerable to various attacks, such as man-in-the-middle attacks and data
interception.
 Demonstrate Vulnerabilities: Introduce vulnerabilities such as SQL injection, XSS (Cross-Site
Scripting), and data interception to show how attackers can exploit them to modify website
content or steal sensitive information.
 Integrate Payment Gateway (Optional): If demonstrating payment gateway hacking, integrate
a payment gateway (e.g., PayPal, Stripe) into the website and simulate a transaction process.

3. Testing and Demonstrating Insecurity:

 Penetration Testing: Conduct penetration testing to identify and exploit vulnerabilities in the
insecure website. This may involve using tools like Burp Suite, OWASP ZAP, or manual testing
techniques.

11
Department of AI&DS, DYPCOEI Varale,
Talegaon
  Demonstration: Record demonstrations or perform live demonstrations showing how an
attacker can manipulate website content, steal user data, or intercept payment transactions.

4. Developing the Secure Website:

 Upgrade to HTTPS: Obtain an SSL certificate and configure the web server to serve the
website over HTTPS. This encrypts data transmitted between the user's browser and the server,
protecting it from interception and tampering.
 Implement Security Best Practices: Follow security best practices such as input validation,
parameterized queries, and secure authentication mechanisms to prevent common vulnerabilities.
 Secure Payment Transactions: If demonstrating payment gateway security, ensure that
payment transactions are processed securely using HTTPS and follow PCI DSS (Payment Card
Industry Data Security Standard) guidelines.
5. Testing and Demonstrating Security:
 Security Testing: Perform security testing on the secure website to ensure that it is resistant to
common attacks and vulnerabilities.
 Comparison: Compare the security of the secure website with the insecure one, highlighting the
differences in terms of data protection, confidentiality, and integrity.
 Demonstration: Record demonstrations or perform live demonstrations showing how the secure
website prevents attacks and protects user data and payment transactions.

6. Documentation and Presentation:

 Document Findings: Document the vulnerabilities discovered in the insecure website, the
security measures implemented in the secure website, and the results of testing and
demonstrations.
 Prepare Presentation: Prepare a presentation summarizing the project objectives,
methodologies, findings, and recommendations.
 Present Findings: Present the project findings to relevant stakeholders, such as classmates,
instructors, or colleagues, to raise awareness about web security issues and best practices.

12
Department of AI&DS, DYPCOEI Varale,
Talegaon
CHAPTER 5
DESIGN PROCESS AND WORKING

5.1 Algorithm

Now let us have practical steps of demonstration on Ubuntu system.

1. First prerequisite is install jdk on Ubuntu. (Preferably latest version) and add JAVA_HOME
path in. bashrc which is available as in home directory. Also add jdk bin path in. bashrc so that you
can access java command from any working directory.
2. Download the apache tomcat 8.55.33 application tar file from apache site. And extract it in
your home directory. Also add CATALINA_HOME in. bashrc as follows.
export CATALINA_HOME=/home/bnjagdale/web/apache-tomcat-8.5.33

3. Documentation: Additionally, you may refer the SSL/TLS manual of securing web sites

13
Department of AI&DS, DYPCOEI Varale,
Talegaon
 4. Start the Tomcat. Go to the apache bin directory and run following command

…/bin$sh startup.sh

Stop tomcat: And you can shutdown tomcat server with following command.

…/bin$sh shutdown.sh

Note: Every time you change configuration files of tomcat, makesure to restart the tomcat server to
adopt the changes

5. Access the Web Interface of tomcat server(Testing Web server)

Now that we have create a user, we can access the web management interface again in a web
browser. Once again, you can get to the correct interface by entering your server's domain name
orIP address followed on port 8080 in your browser:

Open in web browser

http://server_domain_or_IP:8080 OR
http://127.0.0.1:8080/
The page you see should be the same one you were given when you tested earlier:

14
Department of AI&DS, DYPCOEI Varale,
Talegaon
 6. Web server Manager interface

In order to use the manager web app that comes with Tomcat, we must add a login to our Tomcat
server. We will do this by editing the tomcat-users.xml file:

sudo nano …./conf/tomcat-users.xml

You will want to add a user who can access the manager-gui and admin-gui (web apps that come
with Tomcat). You can do so by defining a user, similar to the example below, between the
tomcat- users tags. Be sure to change the username and password to something secure:

tomcat-users.xml — Admin User

<tomcat-users . . .>

<user username="admin" password="password" roles="manager-gui,admin-gui"/>

</tomcat-users>
Save and close the file when you are finished. You need to restart the tomcat to adopt the changes.

Let's take a look at the Manager App, accessible via the link
or http://server_domain_or_IP:8080/manager/html. You will need to enter the account credentials
that you added to the tomcat-users.xml file. Afterwards, you should see a page that looks like this:

15
Department of AI&DS, DYPCOEI Varale,
Talegaon
 The Web Application Manager is used to manage your Java applications. You can Start, Stop,
Reload, Deploy, and Un install here. You can also run some diagnostics on your apps (i.e. find
memory leaks). Lastly, information about your server is available at the very bottom of this page.

7. Let us test the web pages / JSP pages

Now let us deploy jsps and html and test them. Switch to webapps directory of tomcat
andcreate you won folder like ….
..webspps$mkdir myapps

..webspps$cd myapps

..webspps$gedit login1.html

<html>
<head>
<title>SSL demonstration</title>
</head>
<body>
<h3>Web communicaton in plain text- NO SSL</h3>
<br>
<form action="http://127.0.0.1:8080/myapps/action.jsp"method=post>

User Name:<br>
<input type="text" name="username" value=""><br>Password:<br>
<input type="password"
name="password" value=""><br><br>
<input type="submit" value="Submit">
</form>
</body>
</html>

16
Department of AI&DS, DYPCOEI Varale,
Talegaon
 One more file to respond to above html as action.jsp as follows
<html>
<head>
<title>Using POST Method to Read Form Data</title>
</head>
<body>
<h3>Returning the user Form Data back</h3>
<br>
<p><b>Login name:</b>
<%= reques. getParameter("username")%>
</p>

<p><b>Password:</b>
<%= request.getParameter("password")%>
</p>
</body>
</html>

…webapps/myapps$ls

login1.html
action.jsp
Create two files. First file of html is to demonstrate the web form login page. action file is jsp
program for response for login html file

8. Now test the web pages as follows.

You will observe that all traffic is plain in format. So far we have not talked about SSL or TLS
between client and server.

17
Department of AI&DS, DYPCOEI Varale,
Talegaon
 9. SSL/TLS installation (Java keytool)

SSL/TLS and Tomcat

It is important to note that configuring Tomcat to take advantage of secure sockets is usually only
necessary when running it as a stand-alone web server. Details can be found in the Security
Considerations Document. When running Tomcat primarily as a Servlet/JSP container behind
another web server, such as Apache or Microsoft IIS, it is usually necessary to configure the
primary web server to handle the SSL connections from users.

Certificates

In order to implement SSL, a web server must have an associated Certificate for each external
interface (IP address) that accepts secure connections. The theory behind this design is that a server
should provide some kind of reasonable assurance that its owner is who you think it is, particularly
before receiving any sensitive information. While a broader explanation of Certificates is beyond
the scope of this document, think of a Certificate as a "digital passport" for an Internet address. It
states which organization the site is associated with, along with some basic contact information
aboutthe site owner or administrator.

18
Department of AI&DS, DYPCOEI Varale,
Talegaon
 Java provides a relatively simple command-line tool, called key tool, which can easily create a
"self- signed" Certificate. Self-signed Certificates are simply user generated Certificates which
have not been signed by a well-known CA and are, therefore, not really guaranteed to be authentic
at all. While self-signed certificates can be useful for some testing scenarios, they are not suitable
for any form of production use.

10. Above traffic between server and client is without SSL implementation
1. Now create the digital certificate using java keytool in jdk/bin
2. Issue command as follows.
[root@localhost ~]# keytool -genkey -alias mykeys -keyalg RSA -keystore mynmcs
In this example keynamed mynmcs is created in working directory and public key pair
isalso generated in keystore supported by passwords.

3. Now configure the digital certificate in server.xml file available in conf directory
under apache tomcat directory. As follows

19
Department of AI&DS, DYPCOEI Varale,
Talegaon
 4. Restart the tomcat server by using command as under tomcat 8 bin directory
$sh shutdown.sh
$sh startup.sh
5. Now issue the url in client browser as follows
https://172.20.1.121:8443/myapps/login2.html

6. Now this form will (submit) initiate ssl dialog and hencecommunication will
be secured now.

20
Department of AI&DS, DYPCOEI Varale,
Talegaon
 7. Certificate warning error is shown as certificate is self-signed. Accept certificate and check
the output. So now traffic is secured with SSL between transport and application.
Click on certificate error and see the details. Certificates installed in tomcat server for SSL
security are self-signed. If signed by CA like VeriSign, even legality of this communication
is applicable. Now check the plain traffic by deploying sniffer such as tcpdump or
wireshark etc. and verify that traffic is plain without SSL and with https://localhost:8443/...
Traffic is secured in term of authentication, secrecy and integrity.

As you can see that wire shark has sniffed the web traffic and found what server and client are
talking. Here, toward the bottom of screen capture, you can see password in plain format,
which you will not be able to sniff after https SL is deployed

21
Department of AI&DS, DYPCOEI Varale,
Talegaon
 CHAPTER 6

CONCLUSION/FUTURE SCOPE

6.1 Conclusion
I have successfully implemented to demonstrate insecure and secured website program and I
learn how to survive the function, different libraries it is. So, for all of them it is a very useful
and helpful program to get security a virtual platform.

6.2 Future Scope

1. HTTP/3, quantum-resistant encryption, and advanced threat detection mechanisms.

2. implementing additional security measures like Content Security Policy (CSP), HTTP Strict
Transport Security (HSTS), and secure cookie settings.

3. integrating security testing and monitoring tools to continuously assess and improve the
website's security posture.

4. The growing importance of cybersecurity in an increasingly interconnected digital landscape,

emphasizing the need for ongoing vigilance and proactive measures to combat evolving
threats.

22
Department of AI&DS, DYPCOEI Varale,
Talegaon
 REFERENCES

1) Egele, M., Scholte, T., Kirda, E., Kruegel, C.: Using Generalization and Characterization
Techniques in the Anomaly-based Detection of Web Attacks. In: Proceedings of the
Network and Distributed System Security Symposium (NDSS). Internet Society, USA
(2006)

2) Balaji, R., & Naveen, G. (2011). Secure data transmission using video Steganography.
In 2011 IEEE International Conference on Electro/Information Technology, IEEE, pp. 1–5.

3) https://emerald.com/insight/content/doi/10.1108/OIR-02-2018-0056/full/html

4) https://chat.openai.com/c/35792787-64ca-4a9b-be3b-b1501fcbd894

23
Department of AI&DS, DYPCOEI Varale,
Talegaon