Website Security Research Project

This project involves building a simple web app (faux bank account, or similar), though the app is not the focus. Trying to attack the app in various ways, and hardening the app to prevent these attacks is the focus. The app must have user accounts and authentication, of course. It must have user input, a database, and whatever else is needed to offer a target for attacks.

Objectives

The output from this research project is a Github repo with all the code and a How-to write up for each of the attacks and mitigations. Enough detail should be present so that anyone can reproduce the results. The final demonstration of the project should have different versions of the site running on a server that are vulnerable / not vulnerable to the various attacks and/or options to turn on or off vulnerabilities. TA's should be able to easily test the various attacks. 

Note: You may expand upon an existing vulnerable web app such as these: https://github.com/OWASP/OWASP-VWAD

Stretch Goal: The app will have a database of passwords hashed using different encryption algorithms with various levels of difficulty. The goal is to steal and crack the passwords. 

Specific Requirements: 

  1. Perform penetration testing on the infrastructure of the web app for many of the top ten attacks (linked below)
  2. Learn from each attempt at pentesting, and harden the web app accordingly.
  3. Create a writeup for the attack and the solution and add to the GitHub repo how-to.
  4. Repeat 1-3 until done 

Stretch Goals: 

  • Attempt to steal the password hashes and attempt to break the cryptography, the idea being to see how to correctly implement cryptography and to see how easily different hashing algorithms are broken / very difficult to impossible to break.
  • Create a writeup for the password cracks and what worked or did not work for prevention, and add to the GitHub repo how-to Helpful 

Links: 

  • Scan a website for free: https://geekflare.com/online-scan-website-security-vulnerabilities/ 
  • Top Ten common web attacks: https://www.vpnmentor.com/blog/top-10-common-web-attacks/ 
  • OWASP (includes testing guides): https://www.owasp.org/index.php/Main_Page 
  • Vulnerable Web Apps: https://github.com/OWASP/OWASP-VWAD


 

Motivations

Website security experts are always in demand. In this project you will learn some of the top attacks and ways to prevent them.

Qualifications

Minimum Qualifications:
None Listed

Preferred Qualifications:
None Listed


Details

Project Partner:

William Pfeil

NDA/IPA:

No Agreement Required

Number Groups:

1

Project Status:

Accepting Applicants

Keywords:
SecurityWebsite
Card Image Capstone