Web Security On Banking And Account Information Payroll System Using Virtual Machine Essay.

Setting Up

Download the virtual machine for this project via one of the following links:

Download Link:

https://drive.google.com/file/d/1OdS8GNsf7dsbBxsClFbep0UF-UkPuwBG/view?usp=sharing  

You are provided with both root and regular user access to this virtual machine. The credentials are:

You should only use the user account to complete the project. root is provided for your convenience in case you need to install extra software or packages.

After logging in with the above credentials type startx to launch the GUI desktop. VirtualBox guest additions have been pre-installed on the VM. If you wish to install more packages, you may do so by running apt-get as root.

The site we will be exploiting in this project is http://payroll.gatech.edu, which you can only visit on the VM. Please note that this is a made-up site and does not point to a legitimate site in the real world. For testing purposes, you may register accounts at your will. However, please DO NOT use your actual passwords and banking account information.

The source code of the site can be found on the VM in /var/payroll/www. There is a bookmark added to the file manager to make your job a bit easier. We will be using Firefox (Iceweasel), which is provided in the VM, to test your exploits. You may also assume JavaScript is always enabled. Do not update your browser version or use something else such as Chrome since we will grade your scripts using the exact same VM that you have downloaded using Firefox (Iceweasel).

You have stumbled upon the Georgia Tech payroll website and discovered a vulnerability. Suppose a user, say Alice, is already logged into the Georgia Tech payroll site. You noticed that you can craft a web page so that when Alice visits your web page, she gets redirected (NO popups) to the Georgia Tech payroll page with her account number and routing number set to some values of your choice.

Poor and living off of ramen noodles, you decide to give it a try and craft a web page to set the banking information to yours.

You forgot your bank account information, but luckily, you remember storing them inside a secret script you wrote a long time ago.

To fetch your bank account number and routing number, run the get_bank_info script inside the VM and pass in your Georgia Tech username (e.g. jdoe3).

You got caught! The good news is that Georgia Tech InfoSec is curious if you can find another vulnerability that is more severe. They will let you off the hook if you help them out. You noticed that you are able to steal a user’s username and password. You can craft a web page such that whenever a victim, say Bob, visits the page, it will redirect him (NO popups) to http://payroll.gatech.edu/

The web page should look as if Bob visited the site directly. When Bob enters is login information into the page and clicks Log In, an email with his username and password will be sent. Georgia Tech administrators would like you to demonstrate the attack and pay you accordingly. You will have to send the email to the local user account on the virtual machine as a proof of concept.

• The attack must be performed using XSS. Providing a phishing web page will result in 0 points. The browser URL bar should contain the domain gatech.eduand not a phishing URL.
• The email payload should be the user’s username (login) and password separated by a single space. i.e. username password<- notice the space!
  • The sender of the email should be set to RmFsbDIwMThUYXJnZXQyRWFzdGVyRWdn
  • Failure to follow this format will result in 0 points for this part.
• The redirected page must be cosmetically identicalto the original page. The web page source can be different as long as the user cannot tell without looking at the source. This may take some trial and error. This part can be difficult! Use the developer tools to help you.

H4x0r0rg has heard about your feat in making tons of money from Georgia Tech by changing other people’s payroll account. They contacted you and gave you a job, a job with a hefty sum you cannot resist. Your task is to create an HTML webpage, and the requirements are:

• The crafted page has a text field for the username and a submit button.
• The user of this page is not logged into Georgia Tech payroll system, but when he or she enters a valid Georgia Tech payroll registered username (for example, judyhopps) and clicks submit, the user is redirected to http://payroll.gatech.edu/account.phpand logged in as judyhopps.
• Do NOT execute destructive SQL commands such as DROP tables. System administrators can easily detect data loss!
• The id of the input field must be set to targetlogin, and the button id must be exploit. This is very important as the autograder specifically looks for these elements. Failure to include them will result in a zerofor this target.  Example:

Web security is very essential factor, for every individual or an organization. Especially, for the banks. Because, the lack of web security allows various vulnerabilities and threats for the respective system from the attackers, which could be dangerous. For instance, leakage of sensitive data. Thus, it is essential to secure the computer, internet connection and web browser. The encryption method can be used to safeguard the sensitive information. The accounting information system can be used for the collecting of data processing and they are stored in the data that are used by the decision makers. An accounting information system is generally used for computer based method for the hacking account activity of the information technology.

The main objective of this project is to develop the web security on banking and account information payroll system using virtual machine. The login to the virtual machine to enter the root name and password information. The software can install it and put and enter the command on startx, after loading on the payroll webpage and can processing of the each steps. They can use for the three targets likewise, XSRF, XSS Username and password Theft, SQL injection, which will be investigated.

The cross-site request forgery (XSRF or CSRF) refers to a method used to attack the website, where the intruder impersonates as one of the legitimate and a trusted user. The XSRF used for the malicious exploit of a website unauthorized commands are transmitted from a user they can access of the web application they can specified the target state changing request and to identify vulnerability. The Georgia tech payroll system the user can enter the user name and password to login on the site, if the user can already login on the system of Georgia payroll web pages the Alice once visit the webpage and find the redirection of Georgia payroll system with the account number and routing number is displayed on the Username of the system.  

Open the website URL on https://payroll.gtech.edu is only visiting on the Web Pages using oracle virtual machine. The payroll accounting information they can fetch the all information of the website

The XSRF attack is occurs on the malicious website on payroll information systems that are includes email id, account id or program causes. The user can access to the website can be performed on the unwanted action on a trusted site of which user can login to the currently authenticated.

The XSRF is attacked to the web site using logged on the victims browser to sending the forged  html request , that are including  the accounting session and any automatically includes and provides the authentication  information to the user, it can access to a vulnerable  web application.

The user can login to the website of the link will be sending to attackers to the accounting session when the user can  enter the username and Account ID once login to the site and user can  click  on the URL link and once logging to the original website,  the data will be stolen from  the web site.

Interacting with the VM

The user can use the vulnerability as the attackers once can changing to the user profile information., and changing the account status, the attackers can creating the a new user or admin behalf, etc.

There are using the vulnerable objects like,

• User profile pages
• User accounting pages
• Transaction page

The user can log into the accounting website using the valid credentials. Once user can login on the site and sending the verification authenticate mail form the attackers can saying the user “Please click the valid login”

 https://payroll.gatech.edu/account.php"

When the account can be click on it, a valid request will be creating on the URL link on the particular account details.

The security misconfiguration that can used for the hacking on the website can  used the unauthorized  person.

Vulnerability objects are,

• URL
• Form fields,
• Input fields,
• Example,

The application server admin console is automatically installed and not removed. Default account is not changed.  The user can login to the accounting page and the attackers can log in with and set the default password and can use the unauthorized access.

In our case we have using the PHP session it can be kept active by making the request site using the session value in the request, and without the web application of the logout session. The wit outing session value request let us assume assigning the new values of the request URL. Depending on the web application it can used for many it will discussing on the two requests as two different users without the login Id. This means if you were to use payroll banking information and the accounting form the same device (even sharing the same IP and user login Id) the web application could believe its two different users. Also depending on the web site application, you may be able to switch between the user can generate the Account number and routing number as long as they are both still active on correct or wrong on the web service.

Source code is attached here.

The order to run malicious JavaScript code in a victim's browser, an attacker must first find a way to inject a payload into a web page that the victim visits. ... In order for an XSS attack to take place the vulnerable website needs to directly include user input in its pages.

The vulnerability objects are, 

• Login page,
• Mailing page,
• URL link page.

Sending mail to request on local host php page,

We can use for the URL link https://hackmail.org/sendmail.php on the website .The user can send the mail to the local user account and send to the request on the local host web security on the same page.

Source code is attached here.

The php vulnerability, which can used of the mail hacking request on the local host

1. Identify objective of key security,
2. Create an overview of the application by itemising the important characteristics of that application.
3. Application to identify the features and modules that have a security impact, and that need to be evaluated.
4. Identify the all threats.
5. User can send the request on the all-mail it will be hacking.

User can browser and send the request on mail to the input of the server, and it will stored the all data processing in php vulnerability. In order to run malicious SQL queries against a database server, an attacker must first find an input within the web application that is included inside of an SQL query. In order for an SQL Injection attack to take place, the vulnerable website needs to directly include user input within an SQL statement.

The vulnerable objects includes,

• Application database,
• Login page,
• URL link page
• Data storage page.

Hacking on the email commands targets, 

Source code is attached here.

Conclusion

From this report, the importance of web security is understood, especially, for the banks. As, the lack of web security allows various vulnerabilities and threats for the respective system from the attackers, which could be dangerous. For instance, leakage of sensitive data. Thus, it is essential to secure the computer, internet connection and web browser.It is observed that encryption helps to secure sensitive data. The research of this project is to develop the web security on banking and account information payroll system using virtual machine, which is completed successfully. The Oracle virtual machine installation is completed in this report, which uses the three targets like, XSRF, XSS Username and password Theft and the SQL injection that are completed.

References

Covaleski, John, Hacking (Reference Point Press, 2013)

McClure, Stuart, Joel Scambray and George Kurtz, Hacking Exposed (McGraw-Hill/Osborne, 2012)