- Our idea is to create our own payment gateway (at least simulate it b/c we won't actually be connecting to a bank). We are first implementing a simple proof of concept in which we do the CRUD (create, read, update, delete) operations of a credit card and store it all in our database. This is not PCI compliant. We will write security tests to exploit our system and find all vulnerabilities. Then we will implement a secure system that is PCI compliant and we will follow a token + nonce authentication scheme.
- We are going to be using an ASP.NET project for the API backend, an ASP.NET project for the fronend, and MySQL for the database. We will only be making the add card page with style. The rest of the pages will be at their default CRUD look generated by ASP.NET razor pages.
- contains documents about our cybersecurity research
- Burp Suite brute force attack
- Cluster Bomb: for 2+ params (payloads)
- Sniper: for 1 param (payload)
- Gobuster Commands
gobuster dir -u http://localhost:3000/ -w words.txt -x php,txt,html
gobuster dir -u http://localhost:3000/index -w words.txt -x php,txt,html
gobuster dir -u http://localhost:3000/error -w words.txt -x php,txt,html
- Juice Shop SQL injection tests
- The website's login functionality does not parameterize the SQL query, so the email and password are directly inserted into the query. As a result, I am able to manipulate the query to login as Jim by knowing his email but not his password. I do this by inputting his email, followed by a ' to close the query and -- to comment out the rest of the query, including the part that checks if the password is correct. By typing anything into the password field (since it also checks if the field is empty), I can log in and access Jim's account.
- Example XSS on Juice Shop
- Testing
- CrudSite
- create, read, update, delete pages on SQLServer
- Sessions
- uses sessions to manage current user state and authorization
- TransactionApp
- test site that interacts with BitPay payment gateway
- API
- made w/VStudio
- The Api works as the middleman , for the users to access the database through http requests that are called using the web application.
- The Api listens for the requests are provides a services response object, to indicate sucess/failure, and to return any requested or necessary data
- Api is provided parameteres to the SQL commands, so as to avoid SQL injections
- Additionally, the web application checks the formatting of the values that will be going into the sql command.
- HTTP requests that require user input are provided as a json body, and ids of the card are provided in the url.
- When a card is initially entered into the database, sha256 is used to create a unique string identifier for the card.
- The identifiers is made up of the credentials of the card.
- The database is using MYSQL and amazon's RDS feature to access it over the web.
- webApp
- made w/VSCode
- Over the course of this term I learned to use ASP.NET and Docker. I created an ASP.NET website that accepts form input for a user’s credit card information. This information is then validated to ensure that all fields contain valid information. For the card number specifically, I used the Luhn checksum algorithm to verify that the card number is valid. If the data is valid, then it is then sent to Jonathan’s API via a post request where it is stored in the database.
- I also utilized Docker to run my ASP.NET website inside a docker container. By creating an image of this container, my website can then be run. Doing this had the benefit of increasing the performance and portability of my website, as well as isolating it from other applications. Finally, I also researched a handful of cybersecurity aspects.I learned about the prevention of SQL injections and Cross Site Scripting (XSS). I was able to learn about these flaws in a more hands on way by using the OWASP Juice Shop website. In addition, I also learned about these by participating in a few tasks for the Advent of Cyber challenge on the website TryHackMe. Through this website, I also learned about the TCP/IP's three-way-handshake and how the Nmap tool can be used for penetration testing against a server to scan for active IPs and ports on a network and then analyzing IP packets for information about them.
- SQL Injections
- I learned about SQL injections through tasks on the TryHackMe website and then tested it on the OWASP Juice Shop website to log in to another person’s account on the website, by commenting out the part of the query that verifies the password.
- Cross Site Scripting (XSS)
- Like with SQL injections, I learned about Cross Site Scripting through tasks on the TryHackMe website and then tested it on the OWASP Juice Shop website to embed my own scripts into the website, including an iframe that played a song.
- Nmap:
- I also learned about the TCP/IP's three-way-handshake and how the Nmap tool can be used for penetration testing against a server to scan for active IPs and ports on a network and then analyzing IP packets for information about them.
- Go Buster:
- Gobuster was used to attempt to access pages in our website that were lazily kept as accessible to users, including possibly valuable information that users should not be able to see.
- Running gobuster required a large txt file for common pagenames that are often used to store valuable information during development
- Running the gobuster provided some files, but we made an effor to limit the amount of accessible pages to users.
- WFuzz:
- WFuzz is similart to go-buster, in that the hacker provides a text file, but it also allows hackers to attept various credential combinations for loging in as another user or admin.
- We did not test this functionality with our web application, since we did not have a login feature in our application
- OWasp Zap:
- This program provides a thoruogh trial on the webpage that is being attacked, but it is used more often by the developers as a way to get warning signs of the vulnerabilities of their page.
- The scan using Owasp showed various alerts that we were not aware of, and further learning could be done.
- Priviledge escalation:
- This test is used to check if the priviledges on a user can be exploited to gain additional priviledges, by traversing the priviledges of users in the same level as you, or as moving up the rung of privlidges by getting admin privilidges,
- We were able to use priviledge escelation on a challenge found online, but there was no concrete method to use this in our system.
- PaymentGateway
- simple test of jwt token and nonce for mimicking Braintree payment gateway
- ExpressTest
- simple express app to get and authenticate jwt token
- documentation for setting up Kubernetes on AWS EKS
- Bootstrap Studio and Adobe XD design of add card page
- saved captures of MySQL traffic
Extra Stuff
- git clone https://github.com/EnableSecurity/wafw00f.git
- cd wafw00f
- python setup.py install
- cd wafw00f/bin
- python wafw00f example.com
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent