ProHunt Real Estate - Web Application Security Analysis and Evaluation Report

Assignment Tasks

Expectations: This assignment comprises of two components: Part A is the design and development of a database driven website for a gym, and Part B is an evaluation report of 1500 words consisting of reflective commentary on Part A. Both components are one piece of work and will assess all the module learning outcomes. 

Rationale: We trust more and more inputting our personal information to websites. Although this makes our everyday lives more convenient, it also engenders more vulnerabilities because this will increase the frequency of hacking attacks and security breaches. These attacks can range from serious, large scale attacks to simple ones and from simple ones to the ridiculous and life changing incidents. In light of those incidents and vulnerabilities, this assignment will encourage you to apply the web application security concepts and identify the web application vulnerabilities by analysing web application components such as PHP and MySQL.

Background:  The COVID-19 pandemic has changed the reality of life and has directed young generation, amongst others, to use the Internet more than ever. They view the Internet as a positive aspect in our society and a robust and effective systems of communication which play a crucial role in our daily activities and development of identities. On the other hand, the advent of the Internet and its uses are also often used negatively. Many people, as well as organisations, are the targets of cyber bullying resulting in confusion on the part of the “target”. Very often, most people are unaware that what they are going through is a form of bullying. As a result, the previously safe environment of the Internet is now becoming a source of confusion and anxiety. This rapid development has increased the cybersecurity breaches with one in four businesses detecting a breach during their last few months of operations. The nature of these attacks means that many businesses may not know their IT systems have been breached and how to handle/avoid these attacks.

ProHunt is a real estate company based in London. The company deals with renting, buying and selling residential and commercial properties in the area. They are committed to providing the highest levels of customer care. The company employs two directors, two receptionists, four office administrators, two consultants, and seven field workers. To be competitive and remain at cutting edge, The ProHunt intends to launch its business online offering one stop estate services. This new website aims to offer their customers convenience, more control and speedy signup for their services to avoid manual administrative tasks. Although the claim is to improve customer services, securing customer data and eliminating the security risks, it is obvious that it will also help the club save costs and remain financially robust.

Scenario

Now “ProHunt” has contacted BuildTech (Leading IT Company) to go through a security check for the website to project their online presence and services. The client will also use the website as a contact tool with its customers.

You have been assigned to carry out a security analysis of your client website and backend SQL database attached to a website containing possible security vulnerabilities; your answer can make reasonable assumptions.

The web/application security testing must include the following components:

Task A is worth 60% of the overall module. The marking criteria are outlined below. Setup Fully Functional Vulnerable Web Application:

• PHP
• MySQL
• Apache Server

Setup Kali with all the above services enabled on XAMMP. Please provide step-by-step walk through of your implementation including setup of your backend SQL database using screen shots and appropriate description for each step. 

For web app we have to use the auto generated one from Kali.

• Nmap scanning

Perform port scanning of web application target (Kali) and elaborate each step clearly mentioning the details of open ports and its relevance to identify the running protocol

• Wireshark Sniffing

Perform data/traffic capture on target web application (Kali). Please provide the detailed analysis of captured data (Protocol identified at different TCP/IP layers).  

• SQL Injection using SQLMAP

Perform SQL injection attack on Kali using SQLMAP. Elaborate the findings of your attack and include the name of detected database version, database names, database compromised data etc.

• Firewalls
• IDS/IPS
• Encryption

Elaborate the use of above technology to strengthen the security of web applications and discuss integration of these as effective security mechanism.

Setup a server side (PHP) vulnerable web/application connected to backend database (MySQL) for security testing in local environment either using XAMPP/WAMP or Virtual Box. Provide step-by-step configuration details of environment setup (XAMPP/WAMP, Virtual Box etc), web/application and back-end database.

Scanning: You must use a network scanner like Nmap to perform a scan on target web/application and include your findings, open ports, applications, operating systems, etc.

Sniffing: You must demonstrate the use of Wireshark sniffer to perform capture of web application session data. This will require to capture session data between your browser and website/server either remote or local.

Use SQLMAP to identify and exploit the SQL injection vulnerabilities based on the findings from the above steps. You must elaborate the steps of SQL Injection vulnerability exploited.

Design and implement an appropriate web security model for the given scenario by provisioning and utilizing appropriate web security standards/technology.

Part B: Reflection and Evaluation Report

Your second task is to write a self-reflective commentary about your journey from looking at website design, development, testing to deployment of techniques.

Having created your website project, you should now write a self-reflective commentary (1500 words) critically reflecting on your project. Your commentary should critically explore the work you have done to produce your project using relevant literature.

Your commentary should show evidence of your reading and research and use Harvard referencing. Your reflection is a chance to look back on what you have down and to revisit key design and technical decisions you have made.  In other words, were they the right decisions or would you have done something differently? Your focus should primarily be on the critical aspect of what you have done in assignment 1.

Report Structure, Introduction, Critical appraisal and Conclusion/action plan

Critical evaluation and comparison of web server-side technologies

Critically appraise web application security threats and evaluate their impact on business operations.

Future enhancements with the benefit of your experience on the project.  What else could you have been done to evaluate/identify web application vulnerabilities? Critical discussion on web application security tools used during the security testing.