University of Engineering and Technology, Taxila
Information Security – Spring 2025
Assignment 2
Note:
• This is a group assignment can be submitted in a group of two or three.
• Give a description of the tasks performed by each member specifically. Without this statement, a
zero mark is rewarded to all the three members.
• Plagiarism can result in zero marks in all assignments
• This is programming assignment and there is no constraint on use of programming language.
Deadline
• 4th May 2025 (11:59 pm) over TEAMS
Problem:
Task 1: Find a website with SQL injection vulnerability and report it. The evidence will be the screen shorts
showing the vulnerability. You may create a database of your own. Configure WAF and can you sqlmap
tool to scan the vulnerability. This is an open task and you can use any scenario which suits you fit, but
with a clear understanding and justified reasons pasted in the assignments as proofs.
Task 2: Use Wireshark (download it for Windows or Linux) to sniff the packets and identify any http traffic
vulnerability. Justify your answer with snippets of your Wireshark window showing plaintext requests.
Task 3: We have studied about Cross-Site Scripting and in this task we are going to implement that
concept. Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute
malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or
web application. The actual attack occurs when the victim visits the web page or web application that
executes the malicious code. The web page or web application becomes a vehicle to deliver the malicious
script to the user’s browser. Vulnerable vehicles that are commonly used for Cross-site Scripting attacks
are forums, message boards, and web pages that allow comments.
Part A:
For the first part, you are implementing the offensive concept, you are required to do the following steps
1. Design a XSS Vulnerable web page.
2. Inject a script in the vulnerable web page.
3. Open the infected page in a virtual machine to verify that injected script is working or not.
Part B:
For the second part, you are going to implement the defensive concept, you are required to do the
following steps
1. Secure (two techniques) the vulnerable web page designed in Part A.
2. Try to inject the same script in the secure web page and there should be error injecting it.
�Submission:
For Task 1-3, give a detailed report of each task individually. Add any snippets or methods you followed.
Add any code in the appendix of your report.
Report of each task is in a separate pdf. Report format is already shared. Create a combined zip file and
submit a single rar before the deadline.
