Tag: CS 461

Concluding Fall Term

As the first term of my capstone project comes to an end, I am feeling good about my progress so far and looking forward to continuing development next term.

Current State of the Project

As I have completed the second progress report for my project, I believe my project is set up well for continuing development. I have created thorough requirements and design documents which will help guide development. I also have the initial implementation of the project, as well as the first vulnerability exploit completed. As the project exists now, there is a database hosted on Google Cloud, connected to (a currently local implementation of) a simple website which contains two webpages: the home page and the log in page. The home page is very simple, as the purpose is just to show that the website is connected to the database properly. The page contains basic information of my project as well as displaying the database’s Users table, which holds all user credentials. The user credentials can be used for the first vulnerability exploit on the log in page, which focuses on SQL Injection. The log in page currently has a popup with the response for each log in attempt, and if successful, the popup greets the user by name.

Implementing the SQL Injection attack was an enjoyable experience for me and increased my confidence on moving forward with development of the project. While I did reference my design document for this implementation, I ended up adjusting the attack from what was planned in the design document, to better fit the implementation of the webpage. I had initially planned for the SQL Injection attack to attempt to access all user credentials from the Users table, but once I had the basic log in page implemented, I opted to pivot this to an alternative attack.

Adjusting Plans

The attack utilizes SQL Injection to Bypass Authentication and attempt to log in without a valid password. I adjusted based on how the log in page was implemented: the user enters their username and password, which is sent by the web application to the server. The server looks up the user in the database and if they are found with the correct username and password, the server responds with their first name and last name, which the web application displays to the user in a greeting confirming their successful log in. With that being implemented, I found that an Authentication Bypass attack using SQL Injection would be a better approach for the first vulnerability. Adjusting my plan allowed for a more straightforward exploitation for the first vulnerability, while still addressing SQL Injection.

Adjusting my plans also increased my confidence in the flexibility of my design document. I attempted to factor in the unknowns of the details of implementation of the vulnerabilities by emphasizing the nuanced nature of these attacks and noting that approaches may deviate from what was outlined. I also included more vulnerabilities than I will likely have time to implement, which could allow me to drop a vulnerability that ends up being unrealistic to implement, and easily pivot to one of the other vulnerabilities noted in my document. By overplanning in my design document, I not only have flexibility in my approach to implementation, but a guideline on moving forward should I continue development beyond my time in school, which I hope to.

Continuing Development

With the base web application, database, and first vulnerability exploit complete, I am looking forward to continuing development on my project. The next vulnerability I plan to address is Path Traversal, which will require implementing a Products page and adding a file system of “product files” to be accessed by the Products webpage. My plan right now is for the attack to focus on attempting to access a file in a different directory, and the defense will focus on user input validation to ensure that website users cannot access unintended files through the Products page. While not completely necessary for the attack, this may also be a good time to implement the Access Control System, considering only users of a certain type ought to be able to access the Products page. With each vulnerability to be addressed, the process will be similar: implement an attack surface, perform an attack, implement toggleable defenses, and write a vulnerability report of the process.

Project Vision

With the initial versions of the project implemented, I have a more clear vision of what I hope for the future of this project. As I continue development by adding additional webpages, vulnerabilities, and vulnerability reports, I will be considering my end goal. I want to create a web application that someone would actually use to practice or learn about penetration testing and web security. Ideally, the end result would be something  which a user of any experience level could utilize, which is worthy of being added to OWASP’s Vulnerable Web Applications Directory. As development continues I plan to perform usability tests on my web application with users of different experience levels, including complete novices and folks who may have a bit more experience. This will help inform me of any User Interface issues as well as increasing the likelihood that real people might use my web application and find it useful. If I am able to create a project that people will actually use, this will not only be personally rewarding to me but would also be a great project to include on my resume as I look for work in the computer science field.

Thanks for reading my post!

If you are interested in my project and want to be part of it, consider volunteering for user testing!

~ Cassidy Williams ~

Website Security Research

For my capstone project, I am working on a Website Security Research Project. In this project, I will create a simple web application backed by a database, and perform penetration testing on select vulnerabilities while compiling easy to follow reports for users to follow along with the attacks. As I have recently transitioned to working solo on this project, I have been focusing on revamping my design document which will guide project development through the rest of the school year.

Current Progress
As the end of the first term of my capstone project approaches, my focus has been on designing and planning my project, as well as implementing the initial version. I have outlined the database plan as well as drafting the website user interface using wireframes. I used Figma for my wireframes, which I have also been using in my Usability Engineering course, and I have found it to be a very useful tool for prototyping. The website will be simple and will mostly be displaying and interacting with data from the database. I am working on pinning down which vulnerabilities I intend to address and how I will incorporate them into my website, as well as other important aspects of the system.

Development Plan
I plan to build this website incrementally. I will start with an initial version of my website with a simple log in page. Ideally, this will be connected to the database so that a user could log in with credentials saved in the database. At this point in time, the database may not be fully developed and may contain only user credentials. The first vulnerability I intend to exploit is SQL Injection, which will be done through this log in page. Time permitting, I may be able to implement an initial attack and defense in my initial version of the website that I could walk through in my v0.0.1 progress report video.

Once the initial website is up and running, I will first ensure the database is implemented as designed to hold all necessary data for the website. I will be building the rest of the project incrementally based on vulnerabilities. With the first version being a log in page connected to the database, I will build each page from there when it becomes relevant to exploiting a vulnerability, or simply if I have spare time. While much is still to be determined regarding the vulnerabilities, I have a tentative list of ten attacks from five vulnerability categories. I am unsure how much time each vulnerability process will take, so I may not actually get to implementing each of the vulnerabilities, but I would rather have more planned than I could complete than having to adjust my plan to add new vulnerabilities later. In order to properly plan each attack, I will be including in my design document the following information for each vulnerability: a description of the vulnerability and background information (which will be added to the final vulnerability reports), a defined attack surface (which may involve adding new pages or features not are currently planned), and a general attack and defense plan, noting any tools necessary for the process.

By thoroughly designing my project, implementation will be much easier. I will have clear goals and completion criteria for each sprint and will be able to incrementally build my project. Each iteration of the website and vulnerability reports ought to be usable as they are, so that no matter how many vulnerabilities I have time for, once I complete each iteration the website and reports will be ready for users to explore.

Initial Implementation
In addition to planning the project, I have been working on implementing the initial version of the website and database. I am hoping to do so in Google Cloud, and have been learning about the process. I have never used Google Cloud before, and previous websites and databases I have made have all been hosted through OSU. I am excited to be working on a live website and database, as this project is something that I would be interested in continuing to develop after my time in school as well as wanting to put it on my resume. Thus far I have successfully connected to a test database on Google Cloud, and I am working on implementing my initial website as well. It has been a learning experience as I am doing this by myself, but Google Cloud has a lot of tutorials which have been helpful for the process.

Going Forward
For the rest of this term, my biggest hurdles will likely be implementing the website and connecting it to the database. I have some experience in this area (coursework only), but I feel confident that I will be able to get it working. I will also be continuing to work on updating my design document and planning my vulnerabilities to exploit. By the end of the term, I am hoping that I will have a clear vision of how to split up my work for each sprint. My design document may include details of my plans for each iteration of the project, such as including that the initial version will have a login page, credentials in a database, and a vulnerability to SQL Injections. Each planned iteration will include which pages will be present as well as which vulnerabilities, and each vulnerability completed will be detailed in its vulnerability report.

Overall, I am very excited to be working on this project. I tend to enjoy planning and designing, and it has been rewarding to me to see my imagined project materialize in the design document. Solid planning is the first step to a solid project, and I am doing my best to ensure my design is thorough and detailed. I am looking forward to continuing to develop the project, and I am sure that I will be able to create an end result that I will be proud of, and potentially continue to develop after I graduate. The process of penetration testing and hardening the application will be great hands-on practice to better prepare me for my future career in cybersecurity.

Thanks for reading!

~ Cassidy Williams ~

Hello world, and welcome to my Capstone blog! I am Cassidy Williams and I am majoring in Computer Science with a Cybersecurity focus. I live in the Portland area with my four-year-old son and two cats. In my spare time I enjoy running, yoga, painting, and adventuring with my son.

I have always enjoyed working with computers, despite not growing up in a technologically friendly household. As a child, I enjoyed tinkering with broken electronics to see if I could fix them or figure out how they worked. As a teen, I took as many computer classes as my school offered (which was not many!) and tinkered with my own computer in my spare time. My first computer “project” that I was proud of was fully customizing my laptop to be Matrix themed, including playing Matrix quotes during boot up and requiring clicking on the correct pill to log in. While it was not very technically complicated, I had a lot of fun with it and began working more in depth with my computer afterwards. I became interested in Cryptography (math has always been a passion of mine) and Cybersecurity related topics, as well as general software programming.

I studied Computer Science at PCC for my AS before transferring to OSU, where I have been attending online via eCampus. I have really enjoyed studying Computer Science and especially find project-based assignments to be very rewarding. My favorite classes so far have been Cryptography, Computer Architecture and Assembly Language, Analysis of Algorithms, Operating Systems, Intro to Computer Networks and Intro to Security. I look forward to taking Defense Against the Dark Arts (this term) as well as  Digital Forensics (Winter) and Network Security (Spring). And of course I look forward to completing my Capstone Project and graduating next spring!

With this as my final year in school, I hope to make the best of my time and be able to contribute to a Capstone Project that is challenging, personally rewarding, and either builds towards my career goals or has some sort of positive real-world impact.

The top five projects that stand out to me are:

• Malware Analysis: This project interests me because it is related to Cybersecurity and would look good on my resume. This project seems like it would be a healthy challenge for me to learn more real-world application of cybersecurity topics as we will be analyzing malware, which sounds like a great way to get a head start into my intended career path. As I have not yet done any malware analysis, I would appreciate the challenge of this project and I feel it would fit well with some of the courses I will be taking this year as well.
• Website Security Research Project: This project interests me because it seems like it would be very helpful to have on my resume for a Cybersecurity career. I have taken Intro to Security and found the DVWA (Damn Vulnerable Web Application) project to be very fun and rewarding, and this seems like a good way to expand on that by not only attempting penetration testing on the app, but also on hardening the app against our penetration testing results. I feel this project would be very rewarding for me and relevant to my intended career path.
• Math Go!: This project appeals to me because it seems like it would be rewarding and could have a real-world impact to help students have a more fun way to learn and practice math. While I do not have experience with game development, I think that this project sounds like a lot of fun and I could see it being very helpful for students that really struggle with math, as a common complaint is that math “isn’t fun”. In addition, having it help keep students active by encouraging them to seek out the beasties seems like this project would be very rewarding for me to work on. I would love to see my son use a game like this to help him learn math!
• Lidar to 3D Sound Application for the Seeing-impaired: This project interests me because of the real-world impact. I love to see different ways that technology can be used to make the world more accessible to people with disabilities. This project also seems like it would be challenging but very rewarding. I would love to be a part of something that can improve the lives of seeing-impaired, as technology often leaves out marginalized groups when it ought to be used to help them.
• Text Adventure Game for Education: This project appeals to me because I would like to contribute to something with a positive real-world impact. I love the idea of allowing teachers to create their own Text Adventure Games to increase engagement for students. I have known many students who would benefit from a more gamified educational approach, and it seems like as children grow up with more technology as part of their day to day, the benefit of incorporating games into education are greater now than ever before.

Other projects that caught my attention were:

• Citizen Science App for Kids
• A-Life Challenge
• Lets Launch a Game
• Online Trading Card Game Maker
• Cross-Platform Personal Trainer App

Overall I am excited to be able to be involved in a capstone project with other students, and I am looking forward to seeing which project I end up with! I feel that any of these projects would be a great opportunity to apply what I have learned in my studies so far to achieve a challenging goal, and I am excited to be part of creating something that I can show off!

Thanks for your time!

~ Cassidy Williams ~