Month: December 2024

Categories
Uncategorized

Blog Post #3

Some reflections on our project so far…

  1. Introduction
    • The project aims to build a mock web app that simulates common security flaws. The goal is to test the app’s security, find vulnerabilities, and figure out ways to protect sensitive user data while documenting the whole process.
    • Penetration testing is being used to check for weaknesses in the app. This involves simulating attacks like SQL injection, XSS, and CSRF to see how these vulnerabilities might be exploited and also to find ways to fix them.

    2. Project Overview

      • The main goal is to create a web app that is vulnerable to common attacks, and then fix those issues to make the app more secure. This project also serves to teach testers about penetration testing and how to secure web applications.
      • The vulnerable version of the app contains flaws like SQL injection, CSRF, and XSS. The secure version includes fixes like input validation, password hashing, and better session management to prevent these issues from being exploited.
      • The project uses Flask for the backend, MySQL for the database, and Vue.js for the frontend. The testing environment is set up in a virtual machine running Ubuntu 22.04, with Burp Suite for penetration testing and MySQL Workbench for managing the database.

      3. Challenges Encountered

        • Some of the challenges include making sure the vulnerabilities are added in a controlled way, balancing the development of both versions, and configuring the database and server to function like a real app.
        • Introducing vulnerabilities like SQL injection and XSS in a way that can be safely demonstrated without breaking the system is tricky.
        • The project is divided into phases with clear goals to track progress. Team members focus on different areas like the backend, frontend, database, and testing to make sure the project moves forward smoothly.

        4. Penetration Testing Techniques Used

          • Penetration testing techniques being used include SQL injection, XSS, CSRF, brute-force attacks, and testing weak password hashing.
          • We are using Burp Suite to automate brute-force attacks on the login page and to test other vulnerabilities like SQL injection.
          • These techniques help reveal problems with how the app handles user inputs. For example, SQL injection shows that the app doesn’t properly validate inputs, while the absence of CSRF tokens and weak password storage are also significant issues.

          5. Findings and Results

            • The biggest vulnerabilities found so far include SQL injection, which allows attackers to access data, XSS, which lets attackers inject malicious scripts, and CSRF, which allows attackers to perform actions on behalf of legitimate users.
            • For example, an SQL injection attack on the login page allowed access to user data by entering a specially crafted string, bypassing authentication.
            • If these vulnerabilities were left unpatched, attackers could gain unauthorized access to sensitive data, make transactions, or take over user accounts. This could lead to data breaches, loss of customer trust, and legal issues.

            6. Fixes and Improvements

              • To fix these issues, we are using practices like validating all inputs, securely hashing passwords with bcrypt, enforcing HTTPS, limiting login attempts to prevent brute-force attacks, and improving session management.
              • Technologies like bcrypt for password hashing, Flask’s secure session management, and the addition of CSRF tokens are key improvements that are making the app more secure.

              7. Lessons Learned

                • This project is teaching me practical skills in penetration testing, securing web applications, and the importance of building security into every part of an app from the beginning.
                • It has also made me realize how easy it is for real-world applications to be hacked if security isn’t prioritized from the start. Even simple oversights can open the door for attacks.

                8. Conclusion

                  • The main takeaway from this project is that building secure applications from the start is essential. By following secure coding practices and continuously testing for vulnerabilities, we can protect user data.
                  • This experience will be invaluable in my future career, especially if I choose to pursue a role in cybersecurity. It provides hands-on experience with testing and securing web applications, which is directly applicable to real-world scenarios.
                  • I plan to continue learning about advanced security techniques and tools, particularly in the areas of secure software development.

                  9. Call to Action

                    • I encourage others to start by learning about basic vulnerabilities and practicing hands-on exercises to secure their own web applications. Platforms like OWASP offer great resources for this.
                    • I recommend checking out OWASP for comprehensive guides on vulnerabilities, Burp Suite for penetration testing practice, and Hack The Box for real-world security challenges to test your skills.



                    This post helped me clarify my takeaways thus far from the assignment and has prepared me for the next steps to come. I hope you enjoyed reading and learning a bit about the project!

                    Thanks for reading my blog post #3!

                    -Scott Lindsay