An Experimental Study on Detecting and Mitigating Vulnerabilities in Web Applications

ABSTRACT


INTRODUCTION
Information security is essential for all firms due to the rise in cyber hacking activities in the modern digital age [1].Irrespective of their size, every business is faced with the imperative task of safeguarding their data against potential attackers.Web applications play a major role in communication, resource sharing, social networking, online banking, e-commerce, etc. [2].Cybercriminals target web application vulnerabilities to gain unauthorized access to sensitive data, compromising user privacy and security.A company that develops web applications covers most of these features.So, these are the essential details for the attacker to start their attack on that company.Because of that, the attackers mostly target web applications.If the attacker hacked the web application, they could access all the confidential or sensitive data available in the web application.It leads the attack to the next stage of an attack [3].For example, if an online shopping website's credit or debit card details are saved, and the attackers hack the website, they can obtain the full card details and use them to steal money from the victim's account.
Maintaining good security mechanisms to avoid cyber threats is challenging [4].The first step in achieving this is to identify any vulnerabilities or security loopholes in the system.These can be identified with the help of some testing techniques.Distinguishing between Vulnerability Assessment and Penetration Testing reveals two distinct approaches to testing methodologies.Vulnerability assessment is a technique to identify weaknesses or measure security vulnerabilities.Penetration testing takes it to the next level, checking everything -software, hardware, the whole setup to find out where things could go wrong [5].It is basically like trying to think like a cyber attacker about what they could get into if they broke through the system's defenses [6].Penetration testing for web applications has been an active area of research in recent years, with researchers proposing new methodologies, tools, and case studies.Some studies have focused on specific types of web app vulnerabilities like SQL injection [7] and XSS [8], while others have taken a more comprehensive approach covering various vulnerabilities [9][10][11][12].The use of automated scanning tools like Nmap, Nikto, and ZAP, along with manual verification, has been commonly employed.However, the dynamic nature of web applications and the continuous emergence of new vulnerabilities necessitates constant research efforts.
Performing manual penetration testing is daunting as the tester must conduct every possible test to find a single vulnerability.In one application, many vulnerabilities may exist.It is not an easy task, so the penetration tester uses automated tools to avoid that.In automated penetration testing, few tools are available as open-source, and some as commercial products with different functionalities [13].The main problem in this automated penetration testing is in selecting the best tool.The tester can't say that this tool finds all the vulnerabilities in the web application.The vulnerability findings differ for each tool.None of the tools can identify the complete vulnerability in the web application.
The current research aims to explore the vulnerabilities present in web applications, their impact on security, and best practices to mitigate risks.The investigation aims to conduct a comprehensive penetration testing of an online shopping web application, evaluate its security posture, and provide recommendations to enhance its security defenses.
The literature survey is discussed in section 2, methodologies are discussed in section 3, prevention techniques are briefly explained in section 4, and finally, the result is concluded in section 5.

LITERATURE SURVEY
In the work of Aibekova and Selvarajah [9], the author discussed different penetration testing attacks and the types in detail using Kali Linux.The process was done in six phases: Reconnaissance, Enumeration, Exploitation, Dictionary attack, Privilege Escalation, and DOS Attack.In the reconnaissance phase, they identified the open port details by scanning the target IP address in the Nmap tool and the next phase, enumeration, and they started tracking the IP address details like subnets, hosts, interfaces, DNS records, web server details, etc., using OpenNetAdmin tool.In the second phase, they found details about the web server.In the exploitation phase, they used the Metasploit tool to identify exploits like buffer overflow, code injection, and web application.In the fourth phase, they started using a dictionary attack, in which they identified a hashed password file.With that hashed password, they used John the Ripper to decrypt it and got the target's exact password.Now, they moved on to privilege escalation.In this phase, they explored each user; after collecting all the necessary resources, they started a DoS attack against the target.
The security evaluation was conducted of a web application that employs penetration testing strategies to showcase manin-the-middle attacks [10].They used a few penetration testing strategies like SQL Injection, cross-site scripting (XSS), and brute force attacks.They started the evaluation with information gathering using the Nmap tool and got information like port, state, service, and version.Using that Nmap output, vulnerability analysis was initiated using Nikto, W3af, and Zaproxy tools.Nikto finds 8 loopholes in the target, Zaproxy finds 7 loopholes in the target, and W3af fails to find the loopholes.During exploitation, the team identified an SQL injection error, XSS exploit, password dictionary, brute force attack process on burp suite, and a sniffing attack with Wireshark.After the automatic penetration testing was completed, manual penetration testing was performed, and the findings were compared to the percentage range.
In the investigation of Ojagbule et al. [7], the author compared SQL vulnerabilities found in common content management systems.To achieve this, the Nikto tool was used for the initial scanning phase, and the SQLMAP tool was used for penetration testing.The three content management systems analyzed were WordPress, Joomla, and Drupal, all installed on localhost.There are four phases involved in penetration testing in this paper.The first phase is gathering information about the system and server to be targeted, then proceeding with the scanning phase; they used a Nikto scanner to check dangerous files, outdated versions, and server problems.After scanning, they started with exploitation using SQLMAP, and the final phase is mitigation, which comprises ways of removing the vulnerabilities found during the previous phases and the prevention techniques.In the whole process, the scanning didn't show any vulnerable SQL attacks; instead, it warned about the other vulnerabilities available on those websites, WordPress, Joomla, and Drupal.
The investigation focused on the client and server-side attack possibilities in Kali Linux [11].The main advantage of using Kali Linux is its many built-in hacking tools, which significantly help us perform vulnerability analysis and security testing.In the context of client-side attacks, the authors discuss the need for such attacks when server-side attacks fail or when the attacker fails to obtain the proper IP address.The attackers use social engineering techniques to get important user details like names and social media account details.From those details, they start analyzing the user.It is helpful for them to understand more about the client.The most common client-side attack they mentioned is the insertion of Trojans into the device, and they even mentioned some prevention techniques for the attack.They discussed Netdiscover and Zenmap's tools in server-side attacks because they don't require many details.Only the target IP is enough.Those tools can use the IP address to identify details like open ports, OS details, and installed services and works.After all this discussion, they demonstrated packet sniffing, DoS attacks, man-in-the-middle attacks, and fake access points.
Devi and Kumar [12] proposed identifying web application security weaknesses using ethical hacking techniques.For this assessment, they used tools like Nikto, OWASP's Zed attack proxy, Netcraft, Sparta, and Nmap in the Kali Linux platform.They detected security weaknesses in all domains from low to medium with OWASP's ZAP tool.The detected vulnerability is mostly cross-site scripting, SSL, server leak, HTTP header, Retrieved x-powered, cookie without secure flag, URL rewriting, application error disclosure, etc.As a result, they concluded that Nikto found more vulnerabilities than OWASP's ZAP tool.
In the work of Anand and Singh [13], penetration testing was done for Amazon Echo against a denial-of-service attack on the Kali Linux platform.They started the testing by assuming that the cyber criminals already have access to the home network.They monitored the whole network traffic of the Amazon Echo device under DoS attack, one case to perform the attack on Kali Linux and one more instance for monitoring the network during the attack on the same Kali Linux.These attacks cause the device to crash, disconnecting the device from the network.This process is monitored using the Wireshark tool in Kali Linux, and they also showed a network packet drop during the attack.By doing all these processes, they found that initializing the denial-of-service attack in Amazon Echos is easier.The only thing that attackers should know is to access the home network, which leads them to get the required information about the devices connected to the network.They gathered all the information about the device using Nmap for their demonstration.After getting the device's MAC address, they used the SPARTA tool to identify the open ports.The airodump is used to obtain basic service set identification of the router.Finally, they started attacking the device using the Metasploit tool in Kali Linux.
The main aim of the previous study is to develop a fake website using Python scripting and a flask server to detect the SQL injection, cross-site scripting, spider content discovery tool and skip fish in Kali Linux [14].They used a spider to discover the content and functionality of the visible content where the users can browse.XSS and SQL injections are detected in the forms.The authors also conducted automated scans using technologies such as skipfish to give an in-depth website analysis.The main advantage of using skip fish is after completing the scan, it creates a separate zip file for the result.In that file, "index.html"may exist.It contains all the vulnerability details that it found during the scan.After doing all these automated scans, they tried manual testing like SQL injection, cross-site scripting, stored XSS, and Command Injection.As a prevention technique, they requested parameterized queries in SQL so that the attacker cannot manipulate the query as they wish in SQL injection.Additionally, using Content Security Policies (CSPs) in the response header is recommended to prevent cross-site scripting.This paper discusses the most frequent vulnerabilities and automated preventative methods.
In the work of Kandasamy et al. [15], the author investigated the recent cyber-attacks on healthcare institutions in Asia.Their investigation found five different types of attacks, mainly dominating healthcare institutions.This paper discusses those five attacks, their vulnerabilities, and their risks.The five main types of cyber-attacks are the Trojan attack, Phishing attack, Ransomware, Advanced Persistent Threat (APT), and Malware -Credentials compromise.There are four main types of Malware: Malicious software is intended to get unauthorized access to someone's system without their knowledge.The three types of Malware are Trojan, Spyware, and Ransomware.In 2021, ransomware attacks targeting healthcare institutions witnessed a significant surge of 150%, as reported by the Cybersecurity and Infrastructure Security Agency (CISA).As per the report's findings, healthcare institutions faced an average cost of $1.1 million due to ransomware attacks.
Phishing attacks are also social engineering attacks used to steal user details, including financial details like credit card numbers, by sending malicious links to the users.A recent study shows Malaysia ranks third in Asia for phishing attacks.Advanced Persistent Threat is deployed over a long period.It is a selective attack to obtain unauthorized access to the organization's confidential data.APT has eight stages: Initial Recon, Initial Compromise, Establish Foothold, Escalate Privilege, Internal Recon, Move Laterally, Maintain Presence, and Complete Mission.During this COVID-19 period, this was the most common attack in Asian Healthcare institutions by some Chinese APT groups, and they got around 68 lakhs of patient details.After discussing all the attacks, they listed the most common vulnerabilities that cause them with the help of the national vulnerability database and common vulnerabilities and exposes.
The motive in the study of Gunawan et al. [16] is to penetrate web servers by simulating SQL injection, Cross-site scripting, and WordPress attacks.With the help of Burp Suite and SQLMap, they exploited the SQL injection.Penetration testing is used to scan and gather information from web applications for attacks.It gathers HTTP GET and POST requests from the web server and the website cookies, essential to accessing the SQL database.For XSS, they used the BeEF tool on Kali Linux.They made a small modification to the technique used in this attack.They created a phishing website that redirects the site to another phishing page, which helps the attacker download the required software and make it on the victim's machine.
In the investigation of Kumar and Tlhagadikgora [17], the author implemented network and system administration penetration testing.They designed and set up a virtual network laboratory to conduct penetration testing by demonstrating the attacks using Kali Linux.Four phases are involved in this paper: information gathering, vulnerability analysis, exploitation, and reporting.The initial phase involved information gathering, utilizing three open-source tools available in Kali Linux: i.e.Nmap, Zenmap, and Dmitry.Nmap and Zenmap identify the live host in the virtual network laboratory.Once the live hosts were identified, the next step involved scanning the open ports using OS and service fingerprinting techniques.After that, they started the vulnerability analysis using Nexpose community, Nessus, and OpenVAS.The report generated by Nessus contains a list of vulnerabilities against every host.
Similarly, OpenVAS worked under the same configuration, allowing for a comprehensive assessment of the security posture of the organization's IT infrastructure.By comparing the scanning reports generated by these tools, the author identified various vulnerabilities, including buffer overflow, spoofing, denial-of-service (DoS), and privilege elevation.It helps the organization find loopholes exploited by the attacker so they can develop a security mechanism for the loopholes.

Research design
The present work follows an experimental design approach to assess the vulnerabilities and perform penetration testing on a dummy shopping website.It evaluates security measures put in place methodically by manipulating controlled variables.Identifying potential vulnerabilities in the target web application was mainly done with the Nikto vulnerability scanner during the vulnerability detection phase.It is an automated vulnerability evaluation that scans for recognized vulnerabilities, misconfigurations, and security weaknesses without exploiting them.The results from Nikto showed issues such as the absence of security headers, old software versions, and configuration problems that may be vulnerable to exploitation.
While vulnerability detection finds possible weaknesses, penetration testing goes a step beyond by actively trying to exploit those vulnerabilities.In this research, various penetration testing techniques were employed: 1) Phishing attacks using SetoolKit to test for broken authentication and sensitive data exposure vulnerabilities.2) Using BurpSuite to modify and tamper with server requests, simulating attacks like price manipulation or unauthorized actions.3) Server-Side Request Forgery attacks to test for the ability to access restricted resources and sensitive data.These hands-on exploitation attempts went beyond detecting vulnerabilities and validated their exploitability and impact in a controlled environment.

Target environment
The target of this study is a dummy shopping website created specifically for this purpose.A Whois lookup revealed that the website is hosted on a server with IP address 65.8.178.77.

Information gathering
The present paper uses Nmap to gather information about the target website.The few important features of Nmap are host discovery, Port Scan, Service and Version Detection, and Operating System detection [18].Before proceeding with Nmap commands, Whois lookup is used to identify the IP address of the website.

Figure 1. Service and version detection
Prior to executing Nmap commands, a Whois lookup is performed to identify the IP address of the target website.Subsequently, Nmap is utilized for the following tasks using the obtained IP address: 1. Nmap leverages host discovery algorithms to detect active hosts within a specified IP range.This step is crucial in identifying live systems for further probing.Accurate service and version information is valuable for assessing potential vulnerabilities associated with outdated or insecure software.4. Nmap incorporates techniques for detecting the operating system running on the target system.If direct identification is not possible, Nmap provides educated guesses based on its fingerprinting database, along with a confidence rating for each guess.Knowledge of the underlying operating system aids in understanding potential vulnerabilities and tailoring further testing activities.The information gathered through these Nmap features serves as a foundation for subsequent phases of the vulnerability assessment and penetration testing process.

Figure 2. OS detection
Figure 1 shows the output of service and version detection in Nmap.Of 1000 ports, 982 are closed, so it is not showing anything about them.The remaining ports show the details; from the output, port 80/TCP, the HTTP service, is in an open state with Amazon CloudFront httpd.Figure 2 shows the operating system detection output.The Nmap fails to detect the correct operating system for the target website.Instead, it lists the possible operating system based on the guess.According to the guess, the operating system was Grandstream embedded.

Vulnerability scanning
Several activities include crawling, fuzzing, and analyzing web application vulnerability scanning.Crawling searches for pages in a web application, fuzzing simulates the attack.Finally, the analyzer analyses the response given by the fuzzer to identify whether the information is vulnerable.Three methodologies are used in vulnerability finding for the web application, namely, Black-Box Testing when the scanner doesn't have any information about the web application, White-Box Testing when the scanner knows some information about the web application, and grey-box testing to check the output based on the given input with some limited knowledge of web application [19].This paper uses the Nikto vulnerability scanner to identify the vulnerability in the web application.
Nikto is an open-source vulnerability scanning tool available in Kali Linux, which can test more than 6700 harmful files or programs and more than 1200 outdated version detection [20].Figure 3 shows the Nikto vulnerability scanner output.It found seven pieces of information about the target web application.The first information is anticlickjacking X-Frame-Options header is not present, which means the attacker can use this web application to trick a user by clicking a button or a link that redirects the user to a malicious website.The next vulnerability in that web application is the X-XSS protection header.This header configures the reflective Cross-Site Scripting protection; it helps us stop page loading if it finds XSS attacks.This protection header is not defined in this web application, so the web page loads if the attacker gives any Cross-Site Scripting into the web application.Because of that, the attacker can achieve their goal.The content-type response header is not set in the webpage, and this response header is responsible for protecting Multipurpose Internet Mail Extensions (MIME) sniffing vulnerabilities.MIME sniffing vulnerabilities occur when a web application allows users to upload content.The attacker can upload the malicious file if it allows the user to upload content.Along with these vulnerabilities, a few more uncommon headers are also identified.

Figure 3. Nikto vulnerability analysis
The "X-Amz-Cf-Id" header is unique to Amazon Web Services (AWS) CloudFront, a content delivery network (CDN) service offered by Amazon and is not a standard HTTP header.CloudFront produces this header and is present in the server's HTTP response.The "X-Amz-Cf-Id" header in the output of the Nikto vulnerability scanner does not signify a vulnerability.As was already noted, the content delivery network Amazon Web Services (AWS) CloudFront produces the "X-Amz-Cf-Id" header, which is a unique header.Another distinctive header associated with Amazon Web Services (AWS) CloudFront is the "X-Amz-Cf-Pop" header.The "CloudFront Point of Presence" (POP) header is abbreviated as such.Figure 4 shows the w3af vulnerability scanning.

Figure 4. w3af vulnerability scanning
The key findings of using w3af are as follows.Wildcard DNS Configuration: The target website is using a wildcard DNS configuration, where multiple subdomains resolve to the same IP address (192.168.153.1).This configuration can probably reveal sensitive statistics, and boom the assault floor.
Sensitive Information Disclosure: The experiment located numerous URLs related to the phpinfo.Personal home page script, which could display sensitive information approximately the server configuration, including set up modules, surroundings variables, and paths.
Potential XSS Vulnerabilities: The test identified potential Cross-Site Scripting (XSS) vulnerabilities that can allow an attacker to inject malicious scripts into the website and doubtlessly compromise consumer money owed or scouse borrow sensitive facts.
Potential XST Vulnerability: The scan detected a potential Cross-Site Tracing (XST) vulnerability, which could enable an attacker to trace the website's requests and potentially gain access to sensitive information.
Deliberate Vulnerable Application: The scan found a URL (http://192.168.145.128/mutillidae/) that is likely a deliberately vulnerable web application used for testing and learning purposes.
On a different website, information along with the DAV methods enabled on the target HTTP server and the scan results.The vulnerabilities scan using w3af is listed in Table 1.The scan enables various dependency modules or plugins related to error handling, server headers, allowed methods, and version information for different components like "format string", "redo's", "dav", and "frontpage".The scan detected information about the target HTTP server and its version in the requests with specific IDs (36 and 37).The detected server is "Microsoft-IIS/8.5",and the "X-AspNet-Version" header shows the server version as "4.0.30319".Additionally, the "X-Powered-By" header indicates the target server is "ASP.NET".

Exploitation
Attackers possess various tactics to exploit vulnerabilities and compromise system security.These include manipulating SQL queries for data extraction, exploiting authentication weaknesses for unauthorized access, and intercepting sensitive information.Phishing attacks trick people into giving up login details or personal information, while server-side request forgery (SSRF) attacks provide unauthorized access to company property.Cross-site scripting (XSS) flaws enable session hijacking when DoS attacks destroy systems.File attachment vulnerabilities can lead to increased access or privilege, while broken access allows unauthorized access.XML External Entity (XXE) attacks manipulate XML input for code execution.These strategies highlight the diverse approaches attackers use to exploit system weaknesses and compromise security.
The most exploited vulnerabilities are SQL injections, Broken Authentication, Sensitive Data Exposure, File inclusion testing, Server-Side Request Forgery, XML external entities, broken access control, security misconfigurations, and cross-site scripting.The present paper is mainly focusing on broken authentication and sensitive data exposure.
One of the most common broken authentication attacks is a phishing attack.The phishing attack is one of the cybersecurity attacks used to steal user details, including login credentials and even credit card numbers.The attacker sends malicious messages as a trusted entity with malicious links for this attack.Those links lead the user to install Malware software or files that freeze the system as part of a ransomware attack, or the attackers can steal sensitive information [21].Phishing for 2FA codes (two-factor authentication).Attackers may try to trick users into submitting their 2FA codes or completely circumvent the 2FA procedure when a website uses 2FA.This can be accomplished by pretending to be reputable services or by utilizing social engineering strategies to get consumers to divulge their codes.This paper uses the SetoolKit open-source tool for a phishing attack.This tool clones the same website created for this paper.If the user enters it, the attacker can get all the details about the user system and download the required malicious files or code into the target system.But as far as the target is concerned, they cannot differentiate between the original and phishing sites because they look the same.Phishing for personal information, attackers may ask consumers to disclose sensitive data through false emails or communications that appear to be sent from a reliable source.Examples are requests for private company data, personnel records, or customer databases.
The next tool is Burpsuite, one of the most popular web attack platforms, which can be used for scanning and even attacks [22].Using this tool, the tester can simulate various security threats to test their application, which helps them improve their security policy.In the burp suite, the important feature is the agent function, which uses a proxy module between the web application and the server.The proxy server is a server between the web browser and the server.When the client uses the browser instead of using the correct server, it tries to retrieve the information from the proxy server.The proxy server retrieves the correct server's information and displays it to the client.Because of that, the attacker looks through the proxy server's information.Even the attacker can modify the request in the web application; in this attack, the attacker modifies the content in the browser like they are trying to reduce the product price or change the product in the cart.Like that, many vulnerabilities can be found using penetration testing on the web application.
In a server-side request forgery (SSRF) attack, resources are accessed or changed by the attacker employing server capability that has been abused.The attacker's target is A program that permits data imports from URLs or enables users to read data from URLs.Changing URLs or messing with URL path traversal to modify URLs is possible.Attackers often provide a URL (or alter an existing one), and the server's running code reads from or submits data to it.Attackers can use URLs to access private information and services, such as HTTP-enabled databases and server configuration data, not intended to be made public.An attacker can include a file via the File Inclusion vulnerability, usually by taking advantage of "dynamic file inclusion" procedures set up in the target programme.The usage of user input without enough validation leads to vulnerability.This may result in the file's contents being produced, but depending on how serious the problem is, it may also result in.execution of code on the web server.Cross-site scripting (XSS) attacks result from client-side code execution, such as JavaScript.DoS attacks and the disclosure of sensitive information.

PREVENTION TECHNIQUES
One of the vulnerabilities in web applications is cross-site scripting (XSS); as said before, this is a client-side code injection attack in which the attacker executes malicious code in the web application.
Input validation and sanitization of user input by removing or encoding potential malicious scripts like <script> tags is crucial to prevent XSS.Ensure output encoding of any usersupplied data before rendering to prevent injected scripts from executing.Implement a Content Security Policy (CSP) to whitelist trusted content sources and turn off inline script execution, making it harder for malicious scripts to get injected.Configure browser security headers like X-XSS-Protection to enable XSS filtering, instructing browsers to block pages with code injection attack signatures.
Preventing the XSS attack is not easy, but if the developers follow a few steps, they can still prevent the XSS attack [23].The first step is to properly train the developers about the XSS attack, then ask them to use QA staff, DevOps, and SysAdmins.The most important thing is the developers need to treat all user input as public input.It is impossible to identify how the attacker tries to access a web application, and the attacker can access the web application even with an authorized login, so treating all the users as public input is the main aspect.Setting the HttpOnly flag for cookies helps us avoid accessing clientside JavaScript.Scanning the web application also helps us identify the XSS attacks [24].
Some prevention techniques can be used for XSS scripting to avoid these attacks.However, preventing phishing attacks is more difficult.The only prevention the client can do is click any link from any source, even if the sender is known to the client.Instead of clicking the link, the user can use the search engine to access the site.Nowadays, most browsers enable add-ons to help us spot malicious websites or alert users about phishing sites [25].Most importantly, don't give any personal or sensitive information on an insecure site, change the password regularly, and don't keep the same password for all websites.If password were the same, it would be easy for the attacker to log in to any user site.
Compared with previous attacks, preventing SQL injection is simple to implement.The SQL injection attacks can be prevented using prepared statements with parameterized queries, properly constructed procedures, escaping all usersupplied input, and enforcing least privilege [26].These are the few defence techniques that can prevent SQL injection attacks.
Input validation and sanitization of user input before database queries prevent SQL injection attacks.Use least privileged database accounts with only required permissions.Utilize stored procedures for database access as they are less vulnerable when coded properly.Implement multi-factor authentication beyond just passwords.Enforce strong password policies for length, complexity, and rotation.Automatically lock accounts after failed login attempts to prevent brute-forcing.Implement a centralized authentication system across applications instead of ad-hoc logic.These are the few defence techniques that can prevent SQL injection attacks.
One prevention technique is installing a firewall, which is an efficient way to prevent an attack; it works as a shield between the system and the attacker.Next, click on any advertisements or pop-ups that can be avoided in the web application because they may contain malicious code.The malicious code is automatically downloaded into the system without anyone's knowledge [27].Never utilize the input directly in the application code.Not just online form inputs like login forms, but all input must be sanitized by the developer.They must eliminate components of potentially dangerous code, such as single quotations.It's a good idea to turn off the display of database problems on the live website.SQL injection can gather details about the database via database problems.All user-supplied input fields should undergo stringent validation, especially those requiring network requests to prevent server-side request forgery validation of input.
Technique for preventing server-side request forgery Validation of Input All user-supplied input fields should undergo stringent validation, especially those that require network requests.To make sure the URLs or IP addresses are authentic and authorized, validate and sanitize them.Assign the program access to a whitelist of permitted domains, IP addresses, and protocols.Check any user-provided URLs against this whitelist to limit requests to just reputable resources.Filtering based on a whitelist is an effective way to prevent SSRF attacks.Maintaining an Allowlist of permitted URLs/IPs your application can access is a key SSRF prevention measure.Reject any requests attempting to access resources outside of the pre-approved allowlist.Segregating the Application Logic that integrates remote resources loaded over the network can contain the scope of potential SSRF vulnerabilities and attacks within your environment.
Cross-Site Request Forgery (CSRF) tokens can be used to verify the integrity of requests coming from your application.As a result, attackers are less likely to deceive users into sending unauthorized requests that could result in SSRF assaults.Whitelisting of URLs on the server: implement server-side URL whitelisting if your application requires the ability to retrieve resources from external URLs.Keep a list of permitted URLs and only retrieve resources from those sources.

RESULTS ANALYSIS
In this section, three different vulnerability scanners, Nmap, Nessus, and Nikto, are compared regarding features and the vulnerabilities they can find.Each tool is compared with features like cost, usage, capable operating system, and advantages and disadvantages in a feature comparison.
The other comparison is purely based on the vulnerability it can find; not all vulnerability scanners are the same, and each scanner has some unique features.Nmap Port Scanning Results: • Out of 1000 ports scanned, 982 ports were closed.
• Ports found open: 80 (http), 443 (https) Nikto Vulnerability Scan Results: • Number of vulnerabilities/items reported: 7 • Error limit reached: 20 errors Nessus was found to be the most comprehensive tool, capable of identifying the highest number of vulnerabilities compared to Nmap and Nikto shown in Table 2. Nikto, although good at detecting web server vulnerabilities (over 6700 vulnerabilities), failed to detect some common vulnerabilities like SQL injection, improper error management, and denial of service shown in Table 3.
Nmap's strength lies in gathering information about ports and services running on a system, but it is not as effective as Nessus for software vulnerability scanning.
As shown in Table 3, the Nessus vulnerability analysis tool works better when compared to Nmap and Nikto.Nessus is possible to identify more vulnerability than the other tools.Even though the Nikto looks good in Table 2, it fails to detect some common vulnerabilities.Figure 5 shows each vulnerability analysis tool's time to perform a full scan on the web application.Nessus took only 18 minutes to scan and identify 37 vulnerabilities, while Nikto took 32 minutes but could only find 7 vulnerabilities.This quantitative comparison highlights Nessus as a more efficient and comprehensive vulnerability scanner.In a phishing attack, this paper concentrates on two different tools, Zphisher and Nexphisher.Both tools are open-source tools.The Nexphisher tool was developed by combining the Zphisher and HiddenEye tools.Even though Nexphisher is an advancement of Zphisher, it doesn't have some main features like custom page generation, which Zphisher works.In Zphisher, the user can create a custom webpage based on their requirement instead of using predefined templates, but in Nexphisher, that feature is not available.
Figure 6 shows that the Zphisher works better than the Nexphisher because Zphisher takes less time (7 minutes vs 12 minutes) and has more features (8 vs 5) than the Nexphisher for setting up a phishing attack.In addition to this, we also used the w3af tool, which revealed several vulnerabilities, including a wildcard DNS configuration, sensitive information disclosure, potential cross-site scripting (XSS) vulnerabilities, potential cross-site tracing (XST) vulnerability, and the presence of a deliberately vulnerable application used for testing purposes.

CONCLUSION
The present paper delved deep into how penetration testing works and how to find those pesky vulnerabilities in web applications.It reinforced how important prevention is.Input validation, whitelisting, and all that stuff to stop attacks like XSS, SQL injection, and phishing -is super important.But it is also tricky to put into practice, especially when you're dealing with a big, complicated web application.The present paper highlighted the significance of incorporating manual testing alongside automated tools for penetration testing.Manual testing can reveal weaknesses that could be overlooked by automated scanners, particularly in intricate web applications.Looking ahead, multiple practical recommendations can be proposed to tackle the constraints and improve the efficiency of penetration testing for web applications as summarized as follows.1) Utilizing multiple vulnerability scanning tools: 2) The importance of continuous research and development in penetration testing methodologies and techniques is emphasized 3) The importance of collaboration between development and security teams throughout the software development process is suggested, and 4) Advise on conducting regular security audits and assessments, which should include penetration testing, to consistently assess the web application's security state and detect any new vulnerabilities that may have occurred because of updates or upgrades.By acknowledging these constraints and putting into practice the proposed suggestions, companies can improve their capacity to preemptively detect and address weaknesses in web applications, thoroughly safeguarding their important resources and guaranteeing the security, reliability, and accessibility of their systems and data.

2 .
Port Scanning is conducted to determine which ports on the target system are open and potentially hosting services accepting connections.Nmap's port scanning capabilities help uncover potential attack vectors.3.For the open ports identified during port scanning, Nmap attempts to identify the specific services running on those ports and their respective versions.

Figure 5 .
Figure 5. Scan time vs number of vulnerabilities in vulnerability analysis

Figure 6 .
Figure 6.Scan time and number of features in phishing attack

Table 2 .
Features of vulnerability scanners It doesn't prevent attacks; it is only used to check weaknesses.It can detect more than 6700 vulnerabilities.Disadvantage It is not a better option for software It is not a better option for networks.It runs at the command line without any graphical user interface.