Cyber Security Essentials

Module 3.1 : Reconnaissance in Cybersecurity & Top 5 OWASP IoT Vulnerability

Dr. Geeta
Assistant Professor,
Department of Computer Science & Engineering,
Indian institute of Technology Ropar
Always remember, we are learning to be a cyberdefender, not
cyberattacker.
 Cyber-kill chain
What is the Cyber Kill Chain?

● A framework developed by Lockheed Martin to understand cyberattacks.

● Helps organizations identify and mitigate security threats.

Cyber Kill Chain and MITRE ATT&CK Differences | by melikenur fazlioglu | Medium
Cyber Kill Chain
1. Reconnaissance: Information gathering.

2. Weaponization: Developing an attack.

3. Delivery: Transmitting the attack. Stopping adversaries at

any stage breaks the chain
4. Exploitation: Triggering the exploit. of attack!
5. Installation: Installing malicious software.

6. Command and Control (C2): Remote control of the target.

7. Actions on Objectives: Executing the attack's goal.

Intruder succeeds if, and only if, they can proceed through steps 1-6 and reach the final
stage of the Cyber Kill Chain®.
Questions
Scenario:
The attacker sends a phishing email with the malicious PDF to a company employee using a spoofed HR email address.
Which kill chain stage does this represent? Delivery

Scenario:
The victim opens the PDF, which exploits a vulnerability in their PDF reader and triggers shellcode execution.
Which stage of the kill chain is this? Exploitation

Scenario:
A backdoor trojan is installed on the victim’s machine after exploitation, allowing persistent access.

Which kill chain stage? Installation

Scenario: The malware beacons out to an attacker-controlled C2 server to receive instructions.

What kill chain stage is this? Command and Control

Kali Linux: The Offensive Security OS
Kali Linux is a Debian-based Linux distribution developed by Offensive Security,
specially designed for penetration testing, ethical hacking, and digital forensics.

Over 600 pre-installed tools for cybersecurity tasks

Maintained by Offensive Security

Regular updates and large community support

Designed for live booting, VMs, and portable use

Common Tool Categories
Category` Tools (Examples)

Reconnaissance Nmap, theHarvester, Recon-ng

Exploitation Metasploit, MSFvenom, SQLmap

Web Testing Burp Suite, Nikto, Wpscan

Wireless Attacks Aircrack-ng, Reaver, Wireshark

Password Cracking Hydra, John the Ripper, Hashcat

Social Engineering SET (Social Engineering Toolkit), BeEF

Forensics Autopsy, Binwalk, Volatility

Kali Linux Virtualbox installation

[Link]
Stages of a cyberattack
Attackers' Goals:

Reconnaissance ● Identify high-value targets (banks, payment

processors, wallets).
Objective: Gather information about the target. ● OSINT: Collect employee emails, exposed
Activities: Scanning networks, identifying credentials, and system vulnerabilities,
vulnerabilities, and collecting data from public sources. discover internet-facing servers.
● Port scanning & vulnerability scanning

Real-world Example:

● Data breaches via LinkedIn or public APIs.

Defensive Measures:

● Continuous monitoring of exposed

credentials.
● Employee cybersecurity training.
Stages of a cyberattack
Reconnaissance Detecting reconnaissance as it happens can be
very difficult.
Objective: Gather information about the
target.
Activities: Scanning networks, identifying Build detections for browsing behaviours
unique to reconnaissance. Challenges?
vulnerabilities, and collecting data from public
sources.

OSINT: Collect employee emails, exposed credentials, and system

vulnerabilities, discover internet-facing servers.
Tools (Purpose)
Tool / Technique Description / Purpose
theHarvester OSINT tool to collect emails, subdomains, and hosts using search engines & public
sources

FOCA Extracts metadata and hidden information from documents (PDF, DOC, etc.)

Shodan Internet search engine for publicly exposed devices (e.g., webcams, ICS, routers)

Nikto Web server scanner for vulnerabilities and misconfigurations

Dirb Brute-forces directories and file paths on web servers

dnsenum DNS enumeration tool for discovering subdomains, zone transfers, MX records

Nmap Network scanning tool used for port scanning, service enumeration, etc.
Tools (Purpose)
Tool / Technique Description / Purpose
Nessus Vulnerability scanner for known security issues

Metasploit Exploitation framework (can be used for post-exploitation as well)

Hydra Password brute-forcing tool for multiple protocols

Burp Suite Web application security testing tool with spidering and scanning capabilities

Netcat Low-level network tool for debugging, banner grabbing, reverse shells, etc.

Wget Tool to download files over HTTP/HTTPS, often used in automation

Maltego Graph-based link analysis tool for OSINT investigations

Recon-ng OSINT framework with modules for reconnaissance

Google Dorking Technique using advanced Google queries for information gathering
Reconnaissance – Information Gathering

Goal: Identify potential targets using public or network information.

Kali Tools:

● Nmap – Network scanning and service discovery

● theHarvester – Email, subdomain, and user info collection
● Recon-ng – OSINT framework
● Maltego (community edition) – Link analysis and intelligence
visualization
● Whois, dnsenum, dnsrecon – Domain information
● Shodan (via browser or API) – Internet-connected device discovery
● Nikto – Web server scanner
Weaponization – Developing the Attack

Goal: Create a malicious payload tailored to the target.

Kali Tools:

● MSFvenom – Payload creation (part of Metasploit)

● Metasploit Framework – Exploit/payload development and delivery
● Veil – Evasion tool to create AV-bypassing payloads
● Exploit Database – Integrated access to offensive exploits
● Shellter – Dynamic shellcode injection
Delivery – Transmitting the Attack

Goal: Send the malicious payload to the victim.

Kali Tools:

● Social Engineering Toolkit (SET) – Phishing, USB drops, fake sites

● BeEF (Browser Exploitation Framework) – Web browser exploitation
● Metasploit – Exploit delivery via browser, SMB, etc.
● Gophish (can be installed manually) – Phishing campaigns
● HTA Attack via MSF or SET – HTML application attacks
Exploitation – Triggering the Payload

Goal: Exploit a vulnerability to gain access.

Kali Tools:

● Metasploit – Delivery and exploitation of known vulnerabilities

● SQLmap – Automated SQL injection
● Burp Suite (Community) – Web app testing
● Nikto – Web server vulnerabilities
● Wpscan – WordPress vulnerability scanner
● Searchsploit – Local access to Exploit DB
Installation – Establishing Foothold

Goal: Install malware/backdoor for persistent access.

Kali Tools:

● Netcat (nc) – Bind/reverse shell

● Empire (can be installed) – PowerShell and Python agents
● Metasploit persistence modules
● Nishang (scripts for Windows exploitation)
● Backdoors/payloads via MSFvenom or Veil
Command and Control (C2)

Goal: Maintain remote control over compromised systems.

Kali Tools:

● Metasploit – Multi-handler for reverse shells

● Empire – Encrypted C2 channel
● Pupy (manually installable) – RAT with C2
● DNSCat2 – DNS-based covert C2
● Netcat / Socat – Simple remote command/control
Actions on Objectives – Final Goals (Data Theft,
Destruction, etc.)
Goal: Steal data, move laterally, escalate privileges, or destroy assets.

Kali Tools:

● Mimikatz (run via Wine) – Credential harvesting

● John the Ripper / Hydra – Password cracking
● CrackMapExec – Post-exploitation in Windows environments
● Nmap (again) – Network discovery for lateral movement
● Exfiltration – Using scp, rsync, or custom scripts
Vulnerable VM machines
digininja/DVWA: Damn Vulnerable Web Application (DVWA)
haveibeenpwned
[Link]
theHarvester
theHarvester is a powerful OSINT (Open Source Intelligence) tool used to gather emails, subdomains, hosts,
IPs from public sources like search engines, Shodan, DNSdumpster, etc.

Search Emails & Hosts from Google

theHarvester -d [Link] -b google

Use Multiple Data Sources (Bing + Baidu)

theHarvester -d [Link] -b bing,baidu

LinkedIn for Employee Names

theHarvester -d [Link] -b linkedin

Limit Results to 100 Entries
theHarvester -d [Link] -b google -l 100
FOCA Fingerprinting Organizations with Collected Archive

FOCA Extracts metadata and hidden information from documents (PDF, DOC, etc.)

FOCA downloads documents (like PDF, DOCX, PPTX, XLSX, etc.) from a domain and extracts metadata to
gather: Usernames, Software versions, Server names, Paths and directory structures, Internal IP
addresses, Printer locations, Email addresses, OS versions, Domain and subdomain names.

Input Target Domain Example: [Link]

1. Search for Public Documents

FOCA uses search engines (Google, Bing) or direct crawling to find:
site:[Link] filetype:pdf
○ filetype:doc OR filetype:xls
2. Download & Analyze Metadata
○ Extract EXIF data, document author, software version, last modified date, etc.
3. Network Footprinting (optional)
○ DNS records, IPs, domain info, subdomains
○ Vulnerability scanning (basic)
Shodan
Shodan Internet search engine for publicly exposed devices (e.g., webcams, ICS, routers)

Examples of search queries:

● apache → Find hosts running Apache web

server

● [Link]:"[Link]" → Find
hosts with certificates for [Link]

● port:21 → Find open FTP servers

● country:"IN" port:22 → SSH servers in India

● org:"Microsoft" → Devices owned by

Microsoft
Nikto: Web Server Vulnerability Scanner
Nikto Web server scanner for vulnerabilities and misconfigurations

● Basic Web Server Scan

nikto -h [Link]
● Scan HTTPS Site
nikto -h [Link]
● Scan on a Non-default Port
● Focused Scanning with Tuning Options
nikto -h [Link] -Tuning 123b
● Throttle the Scan with Delay
nikto -h [Link] -delay 5
Dirb
Dirb Brute-forces directories and file paths on web servers

● Basic Scan of a Target Website

dirb [Link]

Scans the target using Dirb’s default wordlist

(/usr/share/dirb/wordlists/[Link]
t) to find hidden directories and files.

● Dirb is a brute-force web content scanner — it

doesn't crawl links like a traditional web spider.
Instead, it guesses URLs by appending words
from a wordlist to the target base URL and
checking if the server responds positively.

Helps find admin panels, debug interfaces, forgotten

backup files, etc.
dbsenum
dnsenum
dnsenum is a Perl-based DNS enumeration tool that automates gathering of DNS records and
domain mapping, including: Hostnames, Name servers, Mail servers, Zone transfers (AXFR)
Subdomains (via wordlists)

● Basic DNS Enumeration

dnsenum [Link]
● Brute Force Subdomains Using Wordlist --enum: Enables full enumeration
dnsenum [Link] --enum -f -f: Specifies the wordlist for
/usr/share/wordlists/[Link] brute-forcing subdomains
● Use a Custom DNS Server
dnsenum [Link] --dnsserver [Link]
nikto -h [Link] -Tuning 123b

A DNS zone transfer (AXFR) is a mechanism used between DNS servers to

replicate DNS records.
Nmap
Nmap Network scanning tool used for port scanning, service enumeration, etc.
Task Command Description

Scan a single IP nmap [Link] Basic port scan on default 1000 TCP
ports

Scan multiple IPs nmap [Link] [Link] Scan multiple hosts

Scan a range nmap [Link]-20 Scan 20 IPs in the range

Scan subnet nmap [Link]/24 Discover all live hosts in subnet

Detect OS nmap -O [Link] OS fingerprinting

Detect service nmap -sV [Link] Show software versions

versions

Aggressive scan nmap -A [Link] OS, version, script, traceroute

Specific ports nmap -p 22,80,443 [Link] Scan selected ports

Stealth scan nmap -sS [Link] SYN scan (less detectable)

Nmap
Nmap Network scanning tool used for port scanning, service enumeration, etc.

Defensive Use of Nmap

● System admins use Nmap to audit their own network:

○ Detect open ports/services unintentionally

exposed

○ Map firewall rules

○ Find rogue devices

● Helps in attack surface reduction

Run vulnerability scans with Nmap scripts:

nmap --script vuln [Link]
 Google Dorking
Operator Purpose Example
Why It’s Powerful?
site: Restrict to a specific site site:[Link]:[Link] - Google Search
Google indexes everything it can access, including:
filetype: Find specific file types filetype:pdf budget
● Misconfigured web directories
intitle: Words in page title intitle:"index of"
● Leftover backup files
● Admin panels
inurl: Words in the URL inurl:admin
● Development environments
intext: Words in page body intext:"confidential"

cache: View cached version cache:[Link]

ext: Alternate for filetype ext:xls passwords

allintext: All keywords in body allintext:"confidential login"

allintitle: All keywords in title allintitle:admin login

Google Dorking
It’s often used in reconnaissance phase by ethical hackers and penetration testers — and is also popular among attackers to discover
vulnerable assets.

No hacking tools required, just a browser.

Using Google Dorks is not illegal — it’s just search.

But using found information (e.g., passwords, databases) without permission is illegal.

In penetration testing, use only with client consent

Defensive Tips

● Use [Link] to disallow crawling of sensitive paths.

● Block Google from indexing dev/test environments. Don’t store sensitive files publicly just
● Remove sensitive files from web root. because they're disallowed in [Link].
Monitor what's indexed using Google Search Console or site:[Link].
Recon-ng
Recon-ng OSINT framework with modules for reconnaissance
 Recon-ng
Recon-ng OSINT framework with modules for reconnaissance

It is similar in interface to Metasploit but focused on information gathering rather than exploitation.
Common Use Cases:
● Domain reconnaissance
● Gathering subdomains
● DNS records, WHOIS info
● Gathering data from public sources (e.g., LinkedIn, Twitter, Google, HaveIBeenPwned)
● Geolocation
● Breach information
Basic Workflow:

● Start Recon-ng: recon-ng

● Create a workspace: workspaces create test_workspace
● Add a domain: db insert domains [Link]
● List available modules: show modules
● Select and use a module: use recon/domains-hosts/bing_domain_web
● Set required options: show options set SOURCE [Link]
● Run the module: run
● View results: show hosts
Recon-ng
Recon-ng OSINT framework with modules for reconnaissance

It is similar in interface to Metasploit but focused on information gathering rather than exploitation.

Module Path Description

recon/domains-hosts/bing_domain_web Find hosts from Bing

recon/domains-contacts/whois_pocs Get contact info from WHOIS

recon/hosts-hosts/resolve Resolve hostnames to IP addresses

recon/creds-credentials/pwnedlist Check if credentials have been breached

reporting/html_report Generate an HTML report

Some modules require API keys (e.g., Shodan, Bing, HaveIBeenPwned).

Maltego
Key Features of Maltego:
● Graph-based visualization: See how entities are connected
● Transforms: Automated data-mining operations that pull info from various sources
● Built-in OSINT: Integrates data from search engines, DNS records, social media, breaches, etc.
● Customizable transforms: Add your own scripts or use 3rd-party data sources (e.g., Shodan, VirusTotal)
● Supports integration with threat intel platforms (MISP, IBM X-Force, etc.)
● Cross-platform GUI
Basic Workflow:
1. Start Maltego (Free Community Edition or Paid Pro version)
2. Create a new graph
3. Choose a starting entity, such as:
○ Domain
○ Person
○ Email Address
IP Address
4. Right-click on entity > Run Transform(s)
5. Maltego will fetch related data and expand the graph
6. Continue running transforms to grow the investigation
7. Label, annotate, or export the graph as needed
Maltego
Maltego Graph-based link analysis tool for OSINT investigations
Hydra
Hydra Hydra (also known as THC-Hydra) is a fast and flexible brute-force login cracker. It is widely used by
penetration testers and ethical hackers to crack credentials for various network services and web
applications.

Hydra automates brute-force or dictionary attacks against services such as: SSH, FTP, HTTP/HTTPS
(basic/digest forms), Telnet, RDP, SMB, VNC, POP3, IMAP, SMTP, LDAP, SNMP, Cisco protocols,
MySQL, PostgreSQL, and more.
hydra -L [Link] -P [Link] ssh://[IP_address]

Tries all username-password combinations from [Link] and [Link] on SSH service
CVE A publicly available database of known cybersecurity vulnerabilities.

Each CVE helps standardize how organizations share information about vulnerabilities
 Top-5 IoT Vulnerabilities
● Broken Access Control
● Cryptographic failures
● Injection (SQL Injection, Command Injection)
● Insecure design
● Security Misconfigurations

OWASP Top 10 Vulnerabilities for 2024 | TEQSEC

 Top-5 IoT Vulnerabilities
Almost 94% of web applications have some
● Broken Access Control form of broken access control.
● Cryptographic failures
● Injection (SQL Injection, Command Allow attackers to bypass access controls.
Injection)
Failure to deploy access control efficiently
● Insecure design leads to unauthorized access, leading
● Security Misconfigurations attackers to perform data modification and
information disclosure.

Robust access control with role-based authentication and deploying a

least-privileged approach.

OWASP Top 10 Vulnerabilities for 2024 | TEQSEC

Broken access control
Access control is the restriction of actions or resources based on user roles, identity, or permissions. It includes:

● Horizontal access control (access to other users’ data)

● Vertical access control (access to administrative functions)

Broken Access Control

It occurs when users can perform actions outside their intended permissions due to:

● Misconfigured permissions
● Bypassed authorization checks
● Predictable URLs or IDs
● Client-side access enforcement (bad practice)
 Examples of Broken Access Control
Example Description

Insecure Direct Object Changing URL like /user/1234/profile to /user/1235/profile and accessing
Reference (IDOR) another user's data.

Privilege Escalation A normal user accesses /admin/delete_user without authorization.

Unprotected APIs API endpoints don't check user roles before returning sensitive data.

Forced browsing Hidden admin pages accessible without login (e.g., /admin/dashboard).

Parameter tampering Modifying parameters like is Admin=true in a request.

 How to Prevent Broken Access Control
Measure Description

Enforce server-side access controls Never trust the client to enforce permissions

Use role-based access control (RBAC) Clearly separate roles like admin, user, guest

Check ownership of resources Always validate that the resource belongs to the requesting user

Disable directory listing and backup Avoid unintentional exposure

files

Implement deny-by-default Grant permissions explicitly

How to Test for Broken Access Control
Try accessing resources with other user IDs.
Tamper with URL/query/body parameters.
Use tools like:

● Burp Suite (Repeater, Intruder)

● OWASP ZAP
● Postman

Review server responses for unexpected access.

 Top-5 IoT Vulnerabilities
● Broken Access Control Is any data transmitted in clear text?
● Cryptographic failures Is old/weak encryption algorithm is used?
● Injection (SQL Injection, Command
Injection) Protection needs of data in transit and at
rest.
● Insecure design
● Security Misconfigurations

Make sure to encrypt all sensitive data at rest/in motion using advanced
encryption algorithm such as AES 1024.

OWASP Top 10 Vulnerabilities for 2024 | TEQSEC

 Top-5 IoT Vulnerabilities
What Are Cryptographic Failures?

These occur when:

● Data is not encrypted when it should be.

● Weak or outdated algorithms are used.

● Encryption is used incorrectly (bad key management, insecure modes, etc.).

● Sensitive data is stored or transmitted insecurely.

 Top-5 IoT Vulnerabilities
Type Description

Plaintext storage Passwords or personal data stored without encryption

Insecure transport Using HTTP instead of HTTPS

Weak encryption algorithms Use of MD5, SHA-1, DES, RC4

No encryption for backups Sensitive DB backups stored unprotected

Hardcoded keys Keys or secrets embedded in source code

Improper SSL/TLS configs Accepting self-signed or expired certificates

Incorrect key sizes or reuse Reusing keys across users or sessions

How to Prevent Cryptographic Failures?
Measure Description

Use HTTPS everywhere Enforce secure transport (TLS 1.2+)

Encrypt sensitive data at rest and in Protect PII, financial data, etc.
transit

Use strong, modern algorithms e.g., AES-256, RSA-2048, SHA-256

Store passwords hashed with salt Use bcrypt, Argon2, or PBKDF2

Avoid hardcoding secrets Use secure vaults (e.g., HashiCorp Vault, AWS Secrets
Manager)

Manage keys properly Rotate, expire, and revoke keys securely

Validate TLS certificates Prevent man-in-the-middle (MITM) attacks

How to Detect Cryptographic Failures?
● Manual code reviews (check for hardcoded secrets, insecure libraries)
● Security scanners (e.g., Burp Suite, Nessus, OWASP ZAP)
● Penetration testing
● TLS/SSL analyzers (e.g., SSL Labs, [Link])
Example
Scenario: Password Storage Without Hashing:

Application:

An e-commerce website where users create accounts and login using their email and password.

Vulnerable Implementation:

The developer stores user credentials like this:

User Table:
| ID | Email | Password |
|----|------------------------------|---------------------| Issue?
| 1 | alice@[Link] | alice123 |
| 2 | bob@[Link] | bobbyrocks |

Passwords are stored in plain text in the database.

Example
User Table:
| ID | Email | Password |
|----|------------------------------|---------------------| Issue?
| 1 | alice@[Link] | alice123 |
| 2 | bob@[Link] | bobbyrocks |

Passwords are stored in plain text in the database.

Attack Scenario:

A hacker performs SQL injection or compromises the database using another method and obtains:

SELECT * FROM users; They now have cleartext passwords of all users.
Result:

[
{ "email": "alice@[Link]", "password": "alice123" },
{ "email": "bob@[Link]", "password": "bobbyrocks" }
]
 Top-5 IoT Vulnerabilities
User-supplied data is not validated, filtered, or
● Broken Access Control
sanitized by the application.
● Cryptographic failures
● Injection (SQL Injection, Command
The SQL or command contains the structure and
Injection) malicious data in dynamic queries, commands, or
● Insecure design stored procedures.
● Security Misconfigurations

Use positive server-side input validation.

Use a safe API

OWASP Top 10 Vulnerabilities for 2024 | TEQSEC

 SQL injection
SQL Injection occurs when user input is unsafely inserted into SQL queries, allowing attackers to:

● View unauthorized data

● Bypass logins
● Modify or delete records
● Execute administrative commands

# Dangerous: directly embedding user input in SQL

username = [Link]['user']
query = f"SELECT * FROM users WHERE username = '{username}'"

If username = ' OR 1=1 --, the query becomes:

SELECT * FROM users WHERE username = '' OR 1=1 --'

Always true → Bypasses login
How to Prevent SQLi
Measure Description

Use Prepared Statements e.g., [Link]("SELECT * FROM users WHERE username = ?",
(user,))

Input validation Whitelist expected formats

Least privilege DB accounts with minimal rights

Stored procedures (with care) Avoid dynamic SQL inside SPs

WAFs Add an extra layer, but not a replacement

 Command Injection
Command Injection occurs when user input is injected into system commands, often via shells or APIs, allowing
attackers to execute arbitrary OS-level commands.

Example (Vulnerable Code written in python)

import os
ip = input("Enter IP: ")
[Link]("ping " + ip)

If input = [Link] && rm -rf /, the full command becomes:

The command you posted is very dangerous and must never be run on a real system.
ping [Link] && rm -rf /
Attack Type Description

Remote Code Execution Run shell commands on server

Impact of Command Injection
System Compromise Full control over the host

Data Destruction Delete critical files

Pivoting Move laterally in network

 Command Injection
Command Injection occurs when user input is injected into system commands, often via shells or APIs, allowing
attackers to execute arbitrary OS-level commands.

Example (Vulnerable Code written in python)

import os
ip = input("Enter IP: ")
[Link]("ping " + ip)

If input = [Link] && rm -rf /, the full command becomes:

ping [Link] && rm -rf /

The command you posted is very dangerous and must never be run on a real system.
 Top-5 IoT Vulnerabilities
A culture and methodology that constantly
● Broken Access Control
evaluates threats and ensures that code is robustly
● Cryptographic failures designed and tested to prevent known attack
● Injection (SQL Injection, Command methods.
Injection)
A secure design can still have implementation
● Insecure design defects leading to vulnerabilities that may be
● Security Misconfigurations exploited.

Use threat modeling for critical authentication, access control, business logic, and key
flows.

OWASP Top 10 Vulnerabilities for 2024 | TEQSEC

Example Attack scenario
Scenario #1: A credential recovery workflow might include “questions and answers,” which is prohibited
by NIST 800-63b, the OWASP ASVS, and the OWASP Top 10.

Questions and answers cannot be trusted as evidence of identity as more than one person can know the
answers, which is why they are prohibited. Such code should be removed and replaced with a more
secure design.
 Top-5 IoT Vulnerabilities
Missing appropriate security hardening across any
● Broken Access Control
part of the application stack or improperly
● Cryptographic failures configured permissions on cloud services.
● Injection (SQL Injection, Command
Injection) Default accounts and their passwords are still
● Insecure design enabled and unchanged.

● Security Misconfigurations

An automated process to verify the effectiveness of the configurations and settings in all
environments.

OWASP Top 10 Vulnerabilities for 2024 | TEQSEC

Common Causes
Default credentials (e.g., admin:admin)

Unpatched systems or services

Unnecessary services running

Directory listing enabled

Error messages leaking sensitive info

Overly permissive permissions (e.g., chmod 777)

Example attack scenario
Scenario #1: The application server comes with sample applications not removed from the production
server.

These sample applications have known security flaws attackers use to compromise the server. Suppose
one of these applications is the admin console, and default accounts weren't changed. In that case, the
attacker logs in with default passwords and takes over.
Example attack scenario
Attack:

Real-World Example Scenario 1. Attacker visits [Link]

Scenario:
2. Tries default credentials → Login successful!
A company's web server is deployed with default settings. It includes:
3. Finds sensitive configuration data
● Directory listing enabled

● Admin panel accessible at /admin 4. Explores /uploads/ and sees that directory listing is
enabled
● Default credentials: admin / admin123

● Detailed error messages shown to users 5. Downloads sensitive documents

6. Triggers an error intentionally → Gets full stack trace

revealing backend logic

Result:

The attacker gains admin access, steals data, and maps out the backend system — all due to misconfigurations.
Questions
Scenario:
A university web portal has separate dashboards for students and faculty. A student discovers that by changing the URL
from /student/dashboard to /faculty/dashboard, they can view faculty content.
What type of vulnerability is this?
Answer: Broken Access Control (specifically, Insecure Direct Object Reference or Forced
Browsing)

Scenario:
An e-commerce site allows users to log in using HTTP (not HTTPS). A user logs in using a public Wi-Fi
connection, and their session is hijacked.

What cryptographic failure is demonstrated here?

Answer: Transmission of sensitive data without encryption (no TLS/SSL)

Scenario:
An online bookstore allows searching by book title. A user enters the input: ' OR '1'='1' -- and is able to bypass login.
What type of attack is this?
SQL Injection
Contact: Dr. Geeta, IIT Ropar,
email: geeta@[Link]