For this post I will be discussing the tools and technologies I am using for my project development. My project involves creating a database-backed web application partnered with reports which identify and walkthrough various web based vulnerabilities and mitigations. This process has involved using a variety of tools to complete necessary tasks. While I have had exposure to most of these tools prior to this project, my knowledge and experience has increased during the development process.
Design Tools
During the design phase last term, I created a series of UI mockups using Figma, a helpful design tool that allows for easy creation of mockups as well as interactive prototypes (though I did not use them for this project). This is a helpful tool for the design portion of development, as well as being able to quickly mock up new UI aspects introduced as development progresses.
Development Tools
During project development I have primarily used Visual Studio Code as an IDE, linked to my GitHub so I can develop and test locally (or on a VM as I will when more harmful vulnerabilities are encountered) and push those changes to my repository. I have found that I do not really like the integrated GitHub in Visual Studio Code so I tend to take the extra middle step of utilizing GitHub Desktop to stage my commits from my local system.
Generally, version control tools are extremely useful when working on projects as it allows for changes to be reverted if necessary, as well as accurately tracking code changes. When I first started coding, version control was extremely intimidating for me. Even now I prefer a more visual-based version control system UI rather than something command-line based. Avoiding using version control when not required by various class assignments has set me back on quite a few projects where I was close to completion and ended up introducing unmanageable bugs later on. Using version control on personal projects is helpful to avoid a coding catastrophe, whereas using version control on group projects is non-optional. I cannot imagine working on a group project without implementing some sort of version control to keep track of all the code changes.
Database Tools
As my web application is backed by a database, I am also using some tools to interact with that. I have the database hosted via Google Cloud SQL for MySQL, which was easy to set up and has been easy to manage so far. I can connect to it from the web application as well as through my local system through MySQL Workbench. MySQL Workbench is really helpful for managing the database as I perform various testing which involves creating accounts. As the web application does not allow for account deletion, I can simply manually delete the testing accounts using MySQL Workbench.
Testing Tools
In addition to the web application and database, a large portion of this project is focused on vulnerability exploitation, mitigation, and documentation. The project’s GitHub repository contains a folder of vulnerability reports which detail the walkthrough of attacks and defenses. For some of these attacks, additional tools are needed.
The most recent exploit I explored involved Insecure Anti-Automation. To perform the attack, I used Burp Suite Community Edition for this attack. This is probably one of my favorite technologies I have used for my project and I am hoping to utilize it in further vulnerability explorations. Burp Suite is a great tool for anyone experimenting with web vulnerabilities or testing their own web application.
Burp Suite allows users to intercept web traffic on a dedicated browser, which allows users to view and manipulate HTTP requests. There are a variety of different attacks that can be performed, including Repeater and Intruder attacks. Once Burp Suite is running and the user has the dedicated browser open, they can intercept each request, examine them, and determine the action to take (forward the request to allow it to be sent, drop the request, or use it in an attack). This can be used for penetration testing of a web application, but it can also be useful for general web application development to test the functionality of your application.
Also, Burp Suite is great for novice users as well as advanced users. A novice user could easily follow instructions to perform simple attacks (such as those I provide in my vulnerability report about Insecure Anti-Automation), while advanced users could perform more complex attacks and interactions. I would not consider myself an advanced user for Burp Suite yet, but I hope to gain more experience with this technology as my project progresses. Even outside of this project, Burp Suite is a great tool for anyone interested in web applications or security!