Categories
Uncategorized

Winter Term Wrap-Up

As the second term of my capstone project nears its end, I have made a lot of progress on developing my project and also faced a few challenges along the way. With my solid research and planning on web vulnerabilities, identifying and mitigating the vulnerabilities has been fairly straightforward. However, lacking experience on a lot of the required skills for implementing this project has set me back compared to my expectations of progress. This factor is compounded as I working independently rather than on a team, where other folk’s skillsets could help fill the gaps in my experience. Working independently requires teaching oneself all of the skills necessary for project development. Luckily, it seems that the time saved by my solid prep work has balanced out the time lost to my inexperience, and I am on track with my Development Plan.

Balancing Time

One example of this balancing act was with implementing session management for the vulnerability toggle. This was a relatively simple task, so I did not expect it to take long to implement. However, as with all new skills, there were hiccups along the way and I had issues incorporating my session information into the vulnerability toggle. I continued to spend extra time learning how to properly implement this by referencing documentation and guides, but was still able to keep pace with my Development Plan and Sprint Plan because I had planned out the vulnerabilities and mitigations so well that implementing them in the project was typically painless. With simple and well-planned attacks and mitigations, the bulk of my time was spent on the setup for each attack which typically involved a new webpage and an additional security feature.

Adapting Knowledge from Previous Course Projects

Working on this project has required combining my experience of previous course projects into one robust project, as well as learning and implementing completely new skillsets. The previous course assignments that have most specifically been helpful to my project are the final web application from Intro to Databases, the Final Prototype from Usability Engineering, and the Damn Vulnerable Web Application assignment from Intro to Security. Each of these projects were helpful for a small aspect of the project: the Prototype was helpful for my initial design phase, the web application was helpful for my base website implementation, and the DVWA was helpful in informing my approach to the vulnerabilities and user interface. While each of these projects were a helpful as starter information, previous projects were more limited in scope than my project is, so it took some adapting as well as learning new skills for project implementation.

Bridging the Gap from Theoretical Knowledge

A similar challenge highlighted by this project is bridging the gap between the theoretical knowledge taught in a lot of the security classes and actually applying the knowledge in a real-world implementation. Beyond the limited aspects of this projects that overlapped with my previous experience, this project has involved learning new skills and applying them to my project, which takes a lot of time. I was initially frustrated with this, feeling that I was not progressing with development at an acceptable page. As time went on, I began to feel differently about the time spent learning, as it is a necessary part of project development. Learning how to implement the project is an important part of project development. It is vital to know how to learn new skills when they are necessary, especially working in Computer Science. Technology moves so quickly that it is important to be able to adapt your knowledge with new experiences, or your knowledge will risk becoming outdated.

Looking Forward

As project development for this term is complete, I am proud of my progress and looking forward to continuing development. I have implemented a basic web application and database and have addressed a few vulnerabilities present in it. With a lot of the project set-up complete, further development will address a further vulnerabilities. The more vulnerabilities addressed in my project, the more helpful it will be for users to gain experience with penetration testing and web-based vulnerabilities. My hope is to continue developing this project by adding further vulnerabilities even once I have graduated.

Categories
Uncategorized

Tools of the Trade

For this post I will be discussing the tools and technologies I am using for my project development. My project involves creating a database-backed web application partnered with reports which identify and walkthrough various web based vulnerabilities and mitigations. This process has involved using a variety of tools to complete necessary tasks. While I have had exposure to most of these tools prior to this project, my knowledge and experience has increased during the development process.

Design Tools

During the design phase last term, I created a series of UI mockups using Figma, a helpful design tool that allows for easy creation of mockups as well as interactive prototypes (though I did not use them for this project). This is a helpful tool for the design portion of development, as well as being able to quickly mock up new UI aspects introduced as development progresses.

Development Tools

During project development I have primarily used Visual Studio Code as an IDE, linked to my GitHub so I can develop and test locally (or on a VM as I will when more harmful vulnerabilities are encountered) and push those changes to my repository. I have found that I do not really like the integrated GitHub in Visual Studio Code so I tend to take the extra middle step of utilizing GitHub Desktop to stage my commits from my local system.

Generally, version control tools are extremely useful when working on projects as it allows for changes to be reverted if necessary, as well as accurately tracking code changes. When I first started coding, version control was extremely intimidating for me. Even now I prefer a more visual-based version control system UI rather than something command-line based. Avoiding using version control when not required by various class assignments has set me back on quite a few projects where I was close to completion and ended up introducing unmanageable bugs later on. Using version control on personal projects is helpful to avoid a coding catastrophe, whereas using version control on group projects is non-optional. I cannot imagine working on a group project without implementing some sort of version control to keep track of all the code changes.

Database Tools

As my web application is backed by a database, I am also using some tools to interact with that. I have the database hosted via Google Cloud SQL for MySQL, which was easy to set up and has been easy to manage so far. I can connect to it from the web application as well as through my local system through MySQL Workbench. MySQL Workbench is really helpful for managing the database as I perform various testing which involves creating accounts. As the web application does not allow for account deletion, I can simply manually delete the testing accounts using MySQL Workbench.

Testing Tools

In addition to the web application and database, a large portion of this project is focused on vulnerability exploitation, mitigation, and documentation. The project’s GitHub repository contains a folder of vulnerability reports which detail the walkthrough of attacks and defenses. For some of these attacks, additional tools are needed.

The most recent exploit I explored involved Insecure Anti-Automation. To perform the attack, I used Burp Suite Community Edition for this attack. This is probably one of my favorite technologies I have used for my project and I am hoping to utilize it in further vulnerability explorations. Burp Suite is a great tool for anyone experimenting with web vulnerabilities or testing their own web application.

Burp Suite allows users to intercept web traffic on a dedicated browser, which allows users to view and manipulate HTTP requests. There are a variety of different attacks that can be performed, including Repeater and Intruder attacks. Once Burp Suite is running and the user has the dedicated browser open, they can intercept each request, examine them, and determine the action to take (forward the request to allow it to be sent, drop the request, or use it in an attack). This can be used for penetration testing of a web application, but it can also be useful for general web application development to test the functionality of your application.

Also, Burp Suite is great for novice users as well as advanced users. A novice user could easily follow instructions to perform simple attacks (such as those I provide in my vulnerability report about Insecure Anti-Automation), while advanced users could perform more complex attacks and interactions. I would not consider myself an advanced user for Burp Suite yet, but I hope to gain more experience with this technology as my project progresses. Even outside of this project, Burp Suite is a great tool for anyone interested in web applications or security!

Categories
Uncategorized

When Code Stinks: Smelly vs Clean Code

Most people who have written code know how easy it is to code yourself into a corner. Writing smelly code, or code that is potentially problematic, can make code difficult to follow, maintain, develop, or even make the code unreadable to other programmers. To learn more about code smells, I read an article discussing clean code as well as an article discussing code smells.

Clean Code

The first article, “What is Clean Code?” by Codacy, introduces the topic of clean code and notes nine primary principles of clean code [1]:

  1. Avoid Hard-Coded Numbers
  2. Use Meaningful and Descriptive Names
  3. Use Comments Sparingly, and When You Do, Make Them Meaningful
  4. Write Short Functions That Only Do One Thing
  5. Follow the DRY (Don’t Repeat Yourself) Principle and Avoid Duplicating Code or Logic
  6. Follow Established Code-Writing Standards
  7. Encapsulate Nested Conditionals into Functions
  8. Refactor Continuously
  9. Use Version Control.

While I was familiar with the basics of clean code, reading through the article reminded me that there are some clean code practices I perform better than others. Of the nine principles discussed in the article, one aspect I could use improvement with would be the sixth principle, following established code-writing standards [1]. While I always strive to write clean and readable code, as I switch between different languages I don’t typically reference different language style guides as I ought to. Instead I would write the code with a general eye on consistency and readability, but not necessarily following the language’s style guide.

The Codacy article notes a few examples of differences between style guides between different languages, noting that Java uses camelCase for variable, function and class names, while Python uses snake_case [1]. I tend to avoid snake_case due to personal preference, but it would benefit my code to be consistent with other code in the same language. It would make my code more usable for other developers if I followed language-specific style guides, so I will be more cognizant of this in the future, as I want my code to be usable and useful to others.

Code Smells

The second article, “31 Code Smells…” by Pragmatic Ways, discussed different code smells, how to identify them, and how to avoid them [2]. This article separates code smells into a few general categories: dispensables, bloaters, abusers, couplers, preventers, and other notable mentions [2].

During my time of writing code I have certainly written some smelly code, especially on earlier personal projects. I recall one personal project where I attempted to create an application but did not really plan my approach, and I ended up with extremely bloated code. One of the biggest indicators that I needed to refactor was the long parameter lists (#9 on the list of 31 code smells) for various functions [2]. The article discusses two likely problems that could cause long parameter lists [2]:

  1. There’s more than one thing happening in the function
  2. The parameters are tightly related and should be grouped together in a data object

In this case, it was likely a case of both factors, but certainly utilizing a data object would have reduced the number of parameters passed between functions.  Not only did the excess parameters make maintaining the code almost impossible, but it made the prospect of refactoring overwhelming, and I did not end up maintaining the project. If I were to reapproach it now, I would likely start from scratch rather than clean up the smelly code.

The article’s example code includes multiple parameters which each reference an aspect of a person [2]: 

public void printPerson(String firstName, String lastName, String middleName, String maidenName, String babyName, String nickName, String thirdFavoriteDinosaur) {
  ...
}

This could be refactored to a data object to allow the number of parameters passed to be reduced, as well as generally make the code cleaner and more readable. Consider a Person object which contains the attributes passed as parameters, such as person.firstName, person.lastName, etc. This would clean up the code by organizing the data better and reducing the number of parameters to be passed around, as seen in the article’s solution code [2]:

public void printPerson(Person person) {
  ...
}

While my personal example was from quite a while ago, there is still the possibility that similar code smells could find their way into code that I write. To avoid repeating the code smell of excessive parameter lists, I will note when parameters are linked and ought to be encapsulated in a data object, as well as assessing if my functions are targeted enough.

By keeping an eye out for code smells as I write code, as well as reassessing previous code I encounter, I will be better able to keep the smells at bay and write cleaner code. Unaddressed code smells can snowball into an unmanageable situation which could significantly hinder development of a project.

Sources

[1] Codacy, “What Is Clean Code? A Guide to Principles and Best Practices,” blog.codacy.com, Dec. 19, 2023. https://blog.codacy.com/what-is-clean-code (accessed Jan. 16, 2025).

[2] A. Allard, “31 Code Smells all software engineers must watch out for,” Pragmatic Ways. https://pragmaticways.com/31-code-smells-you-must-know/ (accessed Jan. 16, 2025).

Categories
Uncategorized

My Capstone Progress

Concluding Fall Term

As the first term of my capstone project comes to an end, I am feeling good about my progress so far and looking forward to continuing development next term.

Current State of the Project

As I have completed the second progress report for my project, I believe my project is set up well for continuing development. I have created thorough requirements and design documents which will help guide development. I also have the initial implementation of the project, as well as the first vulnerability exploit completed. As the project exists now, there is a database hosted on Google Cloud, connected to (a currently local implementation of) a simple website which contains two webpages: the home page and the log in page. The home page is very simple, as the purpose is just to show that the website is connected to the database properly. The page contains basic information of my project as well as displaying the database’s Users table, which holds all user credentials. The user credentials can be used for the first vulnerability exploit on the log in page, which focuses on SQL Injection. The log in page currently has a popup with the response for each log in attempt, and if successful, the popup greets the user by name.

Implementing the SQL Injection attack was an enjoyable experience for me and increased my confidence on moving forward with development of the project. While I did reference my design document for this implementation, I ended up adjusting the attack from what was planned in the design document, to better fit the implementation of the webpage. I had initially planned for the SQL Injection attack to attempt to access all user credentials from the Users table, but once I had the basic log in page implemented, I opted to pivot this to an alternative attack.

Adjusting Plans

The attack utilizes SQL Injection to Bypass Authentication and attempt to log in without a valid password. I adjusted based on how the log in page was implemented: the user enters their username and password, which is sent by the web application to the server. The server looks up the user in the database and if they are found with the correct username and password, the server responds with their first name and last name, which the web application displays to the user in a greeting confirming their successful log in. With that being implemented, I found that an Authentication Bypass attack using SQL Injection would be a better approach for the first vulnerability. Adjusting my plan allowed for a more straightforward exploitation for the first vulnerability, while still addressing SQL Injection.

Adjusting my plans also increased my confidence in the flexibility of my design document. I attempted to factor in the unknowns of the details of implementation of the vulnerabilities by emphasizing the nuanced nature of these attacks and noting that approaches may deviate from what was outlined. I also included more vulnerabilities than I will likely have time to implement, which could allow me to drop a vulnerability that ends up being unrealistic to implement, and easily pivot to one of the other vulnerabilities noted in my document. By overplanning in my design document, I not only have flexibility in my approach to implementation, but a guideline on moving forward should I continue development beyond my time in school, which I hope to.

Continuing Development

With the base web application, database, and first vulnerability exploit complete, I am looking forward to continuing development on my project. The next vulnerability I plan to address is Path Traversal, which will require implementing a Products page and adding a file system of “product files” to be accessed by the Products webpage. My plan right now is for the attack to focus on attempting to access a file in a different directory, and the defense will focus on user input validation to ensure that website users cannot access unintended files through the Products page. While not completely necessary for the attack, this may also be a good time to implement the Access Control System, considering only users of a certain type ought to be able to access the Products page. With each vulnerability to be addressed, the process will be similar: implement an attack surface, perform an attack, implement toggleable defenses, and write a vulnerability report of the process.

Project Vision

With the initial versions of the project implemented, I have a more clear vision of what I hope for the future of this project. As I continue development by adding additional webpages, vulnerabilities, and vulnerability reports, I will be considering my end goal. I want to create a web application that someone would actually use to practice or learn about penetration testing and web security. Ideally, the end result would be something  which a user of any experience level could utilize, which is worthy of being added to OWASP’s Vulnerable Web Applications Directory. As development continues I plan to perform usability tests on my web application with users of different experience levels, including complete novices and folks who may have a bit more experience. This will help inform me of any User Interface issues as well as increasing the likelihood that real people might use my web application and find it useful. If I am able to create a project that people will actually use, this will not only be personally rewarding to me but would also be a great project to include on my resume as I look for work in the computer science field.

Thanks for reading my post!

If you are interested in my project and want to be part of it, consider volunteering for user testing!

~ Cassidy Williams ~

Categories
Uncategorized

My Capstone Project

Website Security Research

For my capstone project, I am working on a Website Security Research Project. In this project, I will create a simple web application backed by a database, and perform penetration testing on select vulnerabilities while compiling easy to follow reports for users to follow along with the attacks. As I have recently transitioned to working solo on this project, I have been focusing on revamping my design document which will guide project development through the rest of the school year.

Current Progress
As the end of the first term of my capstone project approaches, my focus has been on designing and planning my project, as well as implementing the initial version. I have outlined the database plan as well as drafting the website user interface using wireframes. I used Figma for my wireframes, which I have also been using in my Usability Engineering course, and I have found it to be a very useful tool for prototyping. The website will be simple and will mostly be displaying and interacting with data from the database. I am working on pinning down which vulnerabilities I intend to address and how I will incorporate them into my website, as well as other important aspects of the system.

Development Plan
I plan to build this website incrementally. I will start with an initial version of my website with a simple log in page. Ideally, this will be connected to the database so that a user could log in with credentials saved in the database. At this point in time, the database may not be fully developed and may contain only user credentials. The first vulnerability I intend to exploit is SQL Injection, which will be done through this log in page. Time permitting, I may be able to implement an initial attack and defense in my initial version of the website that I could walk through in my v0.0.1 progress report video.

Once the initial website is up and running, I will first ensure the database is implemented as designed to hold all necessary data for the website. I will be building the rest of the project incrementally based on vulnerabilities. With the first version being a log in page connected to the database, I will build each page from there when it becomes relevant to exploiting a vulnerability, or simply if I have spare time. While much is still to be determined regarding the vulnerabilities, I have a tentative list of ten attacks from five vulnerability categories. I am unsure how much time each vulnerability process will take, so I may not actually get to implementing each of the vulnerabilities, but I would rather have more planned than I could complete than having to adjust my plan to add new vulnerabilities later. In order to properly plan each attack, I will be including in my design document the following information for each vulnerability: a description of the vulnerability and background information (which will be added to the final vulnerability reports), a defined attack surface (which may involve adding new pages or features not are currently planned), and a general attack and defense plan, noting any tools necessary for the process.

By thoroughly designing my project, implementation will be much easier. I will have clear goals and completion criteria for each sprint and will be able to incrementally build my project. Each iteration of the website and vulnerability reports ought to be usable as they are, so that no matter how many vulnerabilities I have time for, once I complete each iteration the website and reports will be ready for users to explore.

Initial Implementation
In addition to planning the project, I have been working on implementing the initial version of the website and database. I am hoping to do so in Google Cloud, and have been learning about the process. I have never used Google Cloud before, and previous websites and databases I have made have all been hosted through OSU. I am excited to be working on a live website and database, as this project is something that I would be interested in continuing to develop after my time in school as well as wanting to put it on my resume. Thus far I have successfully connected to a test database on Google Cloud, and I am working on implementing my initial website as well. It has been a learning experience as I am doing this by myself, but Google Cloud has a lot of tutorials which have been helpful for the process.

Going Forward
For the rest of this term, my biggest hurdles will likely be implementing the website and connecting it to the database. I have some experience in this area (coursework only), but I feel confident that I will be able to get it working. I will also be continuing to work on updating my design document and planning my vulnerabilities to exploit. By the end of the term, I am hoping that I will have a clear vision of how to split up my work for each sprint. My design document may include details of my plans for each iteration of the project, such as including that the initial version will have a login page, credentials in a database, and a vulnerability to SQL Injections. Each planned iteration will include which pages will be present as well as which vulnerabilities, and each vulnerability completed will be detailed in its vulnerability report.

Overall, I am very excited to be working on this project. I tend to enjoy planning and designing, and it has been rewarding to me to see my imagined project materialize in the design document. Solid planning is the first step to a solid project, and I am doing my best to ensure my design is thorough and detailed. I am looking forward to continuing to develop the project, and I am sure that I will be able to create an end result that I will be proud of, and potentially continue to develop after I graduate. The process of penetration testing and hardening the application will be great hands-on practice to better prepare me for my future career in cybersecurity.

Thanks for reading!

~ Cassidy Williams ~

Categories
Uncategorized

Hello World: An Introduction

Hello world, and welcome to my Capstone blog! I am Cassidy Williams and I am majoring in Computer Science with a Cybersecurity focus. I live in the Portland area with my four-year-old son and two cats. In my spare time I enjoy running, yoga, painting, and adventuring with my son.

I have always enjoyed working with computers, despite not growing up in a technologically friendly household. As a child, I enjoyed tinkering with broken electronics to see if I could fix them or figure out how they worked. As a teen, I took as many computer classes as my school offered (which was not many!) and tinkered with my own computer in my spare time. My first computer “project” that I was proud of was fully customizing my laptop to be Matrix themed, including playing Matrix quotes during boot up and requiring clicking on the correct pill to log in. While it was not very technically complicated, I had a lot of fun with it and began working more in depth with my computer afterwards. I became interested in Cryptography (math has always been a passion of mine) and Cybersecurity related topics, as well as general software programming.

I studied Computer Science at PCC for my AS before transferring to OSU, where I have been attending online via eCampus. I have really enjoyed studying Computer Science and especially find project-based assignments to be very rewarding. My favorite classes so far have been Cryptography, Computer Architecture and Assembly Language, Analysis of Algorithms, Operating Systems, Intro to Computer Networks and Intro to Security. I look forward to taking Defense Against the Dark Arts (this term) as well as  Digital Forensics (Winter) and Network Security (Spring). And of course I look forward to completing my Capstone Project and graduating next spring!

With this as my final year in school, I hope to make the best of my time and be able to contribute to a Capstone Project that is challenging, personally rewarding, and either builds towards my career goals or has some sort of positive real-world impact.

The top five projects that stand out to me are:

  • Malware Analysis: This project interests me because it is related to Cybersecurity and would look good on my resume. This project seems like it would be a healthy challenge for me to learn more real-world application of cybersecurity topics as we will be analyzing malware, which sounds like a great way to get a head start into my intended career path. As I have not yet done any malware analysis, I would appreciate the challenge of this project and I feel it would fit well with some of the courses I will be taking this year as well.
  • Website Security Research Project: This project interests me because it seems like it would be very helpful to have on my resume for a Cybersecurity career. I have taken Intro to Security and found the DVWA (Damn Vulnerable Web Application) project to be very fun and rewarding, and this seems like a good way to expand on that by not only attempting penetration testing on the app, but also on hardening the app against our penetration testing results. I feel this project would be very rewarding for me and relevant to my intended career path.
  • Math Go!: This project appeals to me because it seems like it would be rewarding and could have a real-world impact to help students have a more fun way to learn and practice math. While I do not have experience with game development, I think that this project sounds like a lot of fun and I could see it being very helpful for students that really struggle with math, as a common complaint is that math “isn’t fun”. In addition, having it help keep students active by encouraging them to seek out the beasties seems like this project would be very rewarding for me to work on. I would love to see my son use a game like this to help him learn math!
  • Lidar to 3D Sound Application for the Seeing-impaired: This project interests me because of the real-world impact. I love to see different ways that technology can be used to make the world more accessible to people with disabilities. This project also seems like it would be challenging but very rewarding. I would love to be a part of something that can improve the lives of seeing-impaired, as technology often leaves out marginalized groups when it ought to be used to help them.
  • Text Adventure Game for Education: This project appeals to me because I would like to contribute to something with a positive real-world impact. I love the idea of allowing teachers to create their own Text Adventure Games to increase engagement for students. I have known many students who would benefit from a more gamified educational approach, and it seems like as children grow up with more technology as part of their day to day, the benefit of incorporating games into education are greater now than ever before.

Other projects that caught my attention were:

  • Citizen Science App for Kids
  • A-Life Challenge
  • Lets Launch a Game
  • Online Trading Card Game Maker
  • Cross-Platform Personal Trainer App

Overall I am excited to be able to be involved in a capstone project with other students, and I am looking forward to seeing which project I end up with! I feel that any of these projects would be a great opportunity to apply what I have learned in my studies so far to achieve a challenging goal, and I am excited to be part of creating something that I can show off!

Thanks for your time!

~ Cassidy Williams ~