Open source software has been and iscontributing significantly to the development of modern technology, withadvantages of transparency, flexibility and a large support community.However,
OVERVIEW OF THE TOPIC
Information about the topic
1.1.1 Introduce the topic and reasons for choosing the topic
This article highlights the identification and explanation of prevalent security vulnerabilities from the OWASP list, such as SQL Injection, Cross-Site Scripting (XSS), Path Traversal, Broken Access Control, Misconfiguration, Cryptographic Failures, and Authentication Failures These vulnerabilities are commonly exploited by hackers to gain unauthorized access or steal sensitive information from web systems, posing significant risks to user security and privacy.
I selected this topic to examine common vulnerabilities that significantly affect all web systems, as both large and small businesses remain vulnerable to attacks without proper security measures Gaining insight into the mechanisms of these vulnerabilities and their prevention is essential for building a strong knowledge base in web application security, ultimately enabling the development of safer products in the future.
1.1.2 Objectives, meaning and subjects of the topic
- Raise awareness of three common security vulnerabilities and their exploitation mechanisms.
- Deep analysis of how these vulnerabilities are implemented in real environments.
- Provides prevention methods for each vulnerability, helping to develop more secure systems.
- Build a website that simulates vulnerabilities to provide a realistic environment for developers and security researchers to learn and practice.
Enhancing public awareness of information security is crucial for safeguarding systems against external threats By educating developers on vulnerabilities and prevention strategies, we can significantly reduce attacks, better protect user information, and lower security risks for businesses.
1.2 Technologies used in the topic
Oracle VM VirtualBox is an open-source virtualization software that enables users to create and manage virtual machines on personal computers, facilitating the simultaneous operation of multiple operating systems on a single physical machine This tool is particularly useful for establishing an isolated testing environment for website deployment, allowing for the assessment of OWASP security vulnerabilities and the analysis of application performance without impacting the live production environment.
VirtualBox enables users to establish isolated virtual environments on their computers, facilitating secure website deployment and testing without impacting the primary system It allows for the setup and evaluation of various configurations, easy reinitialization of the environment, and efficient detection of vulnerabilities, all while safeguarding the integrity of the actual system.
Burp Suite is an essential tool for web application security testing, particularly effective in identifying OWASP vulnerabilities like SQL Injection, Cross-Site Scripting (XSS), and authentication flaws With its comprehensive features, including proxies, automated and manual scanning, Burp Suite enables users to test, exploit, and remediate security vulnerabilities efficiently.
Burp Suite is a crucial tool for identifying and testing website security vulnerabilities, functioning as a proxy to monitor and alter HTTP requests and responses between the browser and server With its automatic vulnerability detection feature, Burp Suite enables users to discover and exploit security issues like XSS and SQL Injection, ultimately enhancing the security of web applications.
JavaScript is a client-side programming language that enables dynamic interaction and content modification on web pages It facilitates essential functions such as data validation, content updates, event handling, and user interaction, enhancing the overall user experience.
JavaScript enhances web pages by making them interactive and dynamic, enabling the addition of effects, content changes based on user behavior, input validation, and seamless interaction with APIs for data exchange between the client and server.
Concept: It is a popular and powerful CSS framework, used to build responsive and mobile-friendly web interfaces.
This toolkit offers an array of tools and CSS classes designed for the rapid and effortless creation of web interfaces It includes pre-designed interface components such as buttons, forms, tables, and navigation bars, ensuring compatibility across multiple devices and browsers.
Bootstrap 5 uses a flexible grid system (flexbox) to layout and arrange elements on the page It also provides CSS classes and JavaScript components to implement effects, interactions, and custom features.
With Bootstrap 5, we can quickly build professional web interfaces,compatible on many devices and save time in the development process.
Concept: A server-side JavaScript runtime environment that allows
JavaScript code to be executed not only on the browser but also on the server. Node.js uses JavaScript to build web applications and server-side applications.
Uses: The main use of Node.js is to build server-side web applications.
Node.js enables the development of dynamic web applications, real-time applications, and APIs, along with various network applications Its asynchronous multithreading capabilities allow for the simultaneous handling of multiple requests, ensuring optimal application performance without delays.
Node.js enables developers to leverage a vast array of libraries and modules from the JavaScript community via npm (Node Package Manager), facilitating the reuse of open-source code and accelerating the application development process.
EJS is a powerful template language for Node.js that enables the creation of dynamic HTML templates by embedding JavaScript code directly into HTML This approach facilitates the separation of logic and interface in web applications, making it easier to manage and reuse web page components effectively.
EJS is primarily utilized to separate logic from the interface in web applications, enabling the creation of reusable and manageable HTML templates By allowing JavaScript code to be embedded within HTML, EJS facilitates the generation of dynamic content, including repeating elements, conditional displays, and data charts It also enables the passage of server data into HTML templates, where JavaScript expressions can manipulate that data during rendering, resulting in interactive and dynamic web pages.
Express is a robust and versatile Node.js web application framework that streamlines the development of server-side web applications It offers essential tools and features for quickly and efficiently handling HTTP requests, managing routing, and utilizing middleware Additionally, Express simplifies the creation of APIs, making it an ideal choice for developers seeking to build dynamic web applications with ease.
Uses: Handles HTTP requests, manages routing, handles middleware, and creates APIs With Express, you can build dynamic web applications, real-time applications, and RESTful APIs.
Express helps create routes to determine how to handle requests from the client side and create middleware to perform intermediate processing functions
PROJECT SYSTEM STRUCTURE AND ANALYSIS
Project structure
This folder contains files and code related to the website's administrative interface Files here often include data management pages, administrator account configuration, or admin-specific features.
This folder stores essential static resources, including CSS, JavaScript, images, and other interface support files, effectively separating them from the source code This organization not only simplifies management but also enhances page loading speed.
This folder houses controller files within the MVC (Model-View-Controller) framework, serving as the intermediary between the model and the view The controller plays a crucial role in processing user requests, managing data, and delivering the appropriate responses back to the user.
This directory can store database connection configuration files or files related to database initialization and management It also contains schema files, models, and SQL commands for data management.
This directory contains routing files, which define URLs and map them to their respective controllers This is what determines which controller a user will access when using different URLs.
This folder houses user interface files, including HTML documents and template engines like EJS and Pug These views are rendered and delivered to the user's browser following data retrieval from the controller.
This file holds crucial environment variables, including sensitive data like database connection details, API keys, and configurations that must remain confidential Typically, this information is excluded from source control systems by being protected through gitignore.
The gitignore file specifies files and directories to be excluded from the Git source control system, preventing the inclusion of sensitive or unnecessary files, such as node_modules and env, in the repository.
The main file of the application is crucial for initializing and configuring the server It includes essential settings for middleware, router configurations, database connections, and other key components necessary for the server's functionality.
This file defines information about the project such as name, version, and list of dependencies package.json makes it easy to manage and install libraries
This file locks a specific version of dependent libraries, ensuring that the project always uses the correct version of the libraries to avoid errors caused by version changes.
Project implementation
Figure 2.2.1 Use-case diagram a General description
This use-case diagram describes the system that allows Client and Admin to perform different operations, along with the Attacker 's ability to exploit vulnerabilities in the system.
- Client : A regular user of the system who can register, log in and perform functions related to viewing and placing orders.
- Admin (Administrator) : System administrator, has special rights to delete or edit content such as users or comments.
- Attacker : Someone who tries to exploit security holes in the system to infiltrate and cause harm.
- signup (Sign up) : Create a new account.
- login : Log in to the system.
- logout : Log out of the system.
- search for food (Search for food) : Search for food.
- view food detail (View food detail) : View detailed information about the food.
- view comments (View comments) : View comments about the dish.
- post comments (Post comments) : Post comments for the dish.
- add to cart (Add to cart) : Add the item to the cart.
- view cart (View cart) : View the dishes added to the cart.
- edit cart (Edit cart) : Edit cart.
- checkout (Payment) : Pay for items in the cart.
- view order (View order) : View order details.
- edit order : Edit the order if needed.
- delete user : Delete the user account.
- view comments (View comments) : View comments about the dish.
- delete comments : Delete inappropriate comments.
- view order (View order) : View orders.
- edit order (Update order) : Update orders.
- find vulnerabilities : Try to find security vulnerabilities in the system.
- exploit vulnerabilities : Exploit vulnerabilities to penetrate the system. b Relationship between use-cases
1 Relationship between Client use-cases
- logout: Log out of the system after use.
+ add to cart (Expanded from view food detail): Users can add food to cart when viewing food details.
+ post comments (Extended from view food detail): Users can post comments about the dish.
+ view comments (Extended from view food detail): Users can view other people's comments about the dish.
+ search for food (Extended from login): Users can search for food after logging in.
+ view cart (Expanded from login): Users can view cart after logging in. + checkout (Expanded from view cart): When viewing the cart, users can make a payment.
+ view order (Extended from login): Users can view their orders after logging in.
+ edit order (Expanded from view order): When viewing an order, users can edit the order if needed.
+ view comments (Extended from login): Users can view comments related to the dish after logging in.
+ edit cart (Expand from view cart): When viewing the cart, users can edit their cart.
2 Relationship between Admin use-cases
- login: Users need to log in to use the main functions of the system.
- logout: Log out of the system after use.
- delete user: Administrators can delete user accounts.
- delete comments: Administrators can delete inappropriate comments.
+ search (Extended from login ): To perform user search, Admin needs to log in to the system.
+ delete user (Extended from login): After logging in, Admin can delete user account if needed.
+ view comments: Admin can view comments about the dish after logging in + view order (View orders ) : Admin can view orders when logged in
+ edit order (Update cart ) : expand from view order.
+ delete comments: extended from view comments.
3 Relationship between Attacker's use-cases
- find vulnerabilities: Attacker tries to find security holes in the system.
- exploit vulnerabilities (Included in find vulnerabilities): Attackers need to find vulnerabilities in the system before they can exploit them.
The database will have 7 main tables including: user_table, food, type_of_food, cart, general_info_oder, order_detail, comment. user_table: contains user related information
Contains user information with main fields such as: IDUser (primary key), User_name , Mail , Phone , Pass , and role
IDUser is used as a foreign key in other tables to link to user information.
Figure 2.2.2 User_table food: contains information about the dish
Stores information about dishes, with fields such as: IDFood (primary key), Food (dish name), Price , Amount , TypeID (foreign key), img_src (image link), and info_Detail
TypeID links to IDType in the type_of_food table to identify the type of food.
Figure 2.2.3 Food cart: contains customers' shopping cart information
The shopping cart system stores essential information such as STT, UserID (foreign key), IDFood (foreign key), Amount, Price, and Total The UserID connects to the IDUser in the user_table, allowing for the identification of the user associated with each shopping cart.
IDFood links to IDFood in the food table to identify the food added to the cart.
Figure 2.2.4 Cart type_of_food: contains food types
Contains dish type information with fields: IDType (primary key) and Type (type name).
IDType is linked to TypeID in the food table to categorize dishes.
Figure 2.2.5 Type of food general_info_oder: store general information of the invoice such as buyer location time
Contains general information about the order with the fields: IDOrder (primary key), IDUser (foreign key), Address, Date, and Payment
IDUser links to IDUser in user_table to identify the user who created the order.
Figure 2.2.6 general_info_order order_detail: invoice details
Store order details with the fields: STT, IDOrder (foreign key), IDFood (foreign key), Amount , Price , and status
IDOrder links to IDOrder in general_info_order table to identify order. IDFood links to IDFood in the food table to identify the food item in the order.
Figure 2.2.7 order detail Comment: Save reviews of dishes
Store user comments with the fields: idBL (primary key), IDUser (foreign key), IDFood (foreign key), Date, and Comment
IDUser links to IDUser in user_table to identify the user who commented.IDFood links to IDFood in the food table to identify the dish being commented on.
Figure 2.2.8 comments Relationships between tables
The user_table in the database is interconnected with the cart, comment, and general_info_order through the IDUser Additionally, food is related to the cart, comment, and order_detail via the IDFood The type_of_food is associated with food using the IDType, while general_info_order connects to order_detail through the IDOrder.
IMAGES AND PROJECT ACHIEVEMENTS
Website images
The login and registration interface provides a seamless experience for users, enabling those with existing accounts to log in easily while allowing new users to create an account effortlessly.
Figure 3.1.2 Registration interfaceWhen successfully logged in, the user is greeted with the home page interface with necessary functions such as viewing the menu, viewing the
The introduction interface will display information about the website.
The menu interface presents a comprehensive display of all available food options, organized by category, and includes a search feature for users to easily find specific items on the menu.
Figure 3.1.5 Menu InterfaceWhen encountering any problems while using the website system Users can contact the phone number provided in the contact section.
The dish description interface showcases essential details including the dish name, type, price, and a comprehensive description It also enables users to view reviews from other customers and provides the functionality to add dishes to their shopping cart.
Figure 3.1.7 Food description interface item, and allowing payment of all items in the cart at once.
Figure 3.1.8 Shopping cart and payment interface for multiple dishes
Upon logging in with administrative privileges, users will encounter a fundamental interface that displays both functional and non-functional features, designed to simulate potential vulnerabilities for future analysis.
Vulnerabilities have been added to the site
3.2.1 Broken Access Control and Misconfiguration
Broken access control is a critical security vulnerability that arises when a system fails to enforce proper user authorization, allowing unauthorized access to restricted areas For instance, if access controls are not rigorously applied, a regular user might gain entry to the administrator section, posing significant risks to the system's integrity and security.
Misconfiguration refers to errors arising from incorrect settings in applications or systems, which can lead to serious security vulnerabilities For instance, an improperly configured server may inadvertently expose sensitive data or permit unauthorized external access.
The /api-docs/ endpoint in this project is vulnerable due to the lack of an authentication mechanism, resulting in Broken Access Control and Misconfiguration errors This oversight allows unauthorized users to access and comprehend the project's API documentation, highlighting the necessity for stringent protection and authorization measures for such critical endpoints.
Authentication failures happen when a system cannot accurately verify a user's identity, often due to inadequate password management, weak security questions, or the failure to lock accounts after several unsuccessful login attempts.
When logging into the project there will be a cookie named user
The cookie is encoded in base64 twice, and upon decoding it, we will find a JSON object that includes various fields, one of which specifies the role.
If you change the role from member to admin and encrypt it, you can access pages that only admins can access.
SQL Injection is a critical vulnerability that arises when users can input SQL code into application fields without proper validation If left unchecked, this malicious input can be executed within the database, leading to potential data loss or even full control over the database.
The project encounters a SQL Injection vulnerability at the endpoint /api/cake/{id}, where the 'id' parameter is inadequately filtered, allowing potential exploitation to access the database.
When there is no attack payload, the server returns a single result with the IDFood field set to 1 However, when an attack payload is present, the server retrieves all data within the specified table range.
Figure 3.2.6 No attack payload yet
XSS (Cross-Site Scripting) is a security vulnerability that enables attackers to inject harmful JavaScript code into websites visited by users When users access these compromised sites, the malicious code executes in their browsers, potentially stealing cookies and sensitive information or executing actions on the user's behalf.
In the comment section, inserting script, img, or svg tags can lead to XSS vulnerabilities Due to the presence of a Broken Access Control error, the admin has the ability to view and delete comment data, indicating that the comments are stored in the database and visible on the admin interface.
Path Traversal is a security vulnerability that enables attackers to gain access to files beyond the web root directory By utilizing special characters like " /", attackers can maneuver through directories to reach system files that should typically be restricted from user access.
This error occurs when displaying images in the menu when viewing- source, we will see the image source is: http://192.168.30.138:3000/assets/imgs? filename=assets/imgs/gallary-8.jpg
When we replace assets/imgs/gallary-8.jpg with / / / /etc/passwd, we will see the entire content of the server's /etc/passwd file.
Cryptographic Failures: Cryptographic failures occur when sensitive data is not encrypted or encrypted incorrectly This can cause the data to be easily decrypted or stolen during transmission or storage.
Occurs when the project base encodes the cookie and there is no hash of the user's password in the database.
Figure 3.2.12 Encoding cookies with base64
Figure 3.2.13 Do not encrypt user passwords
CONCLUSION AND DEVELOPMENT DIRECTION
Results achieved
Can do 85 to 90 percent of the requirements
Unfinished business
Cannot make payment function with real bank API.
Advantages and disadvantages of the topic
The advantage is that it helps to deeply understand how vulnerabilities occur and their impact on the entire system.
The disadvantage is quite limited in terms of vulnerabilities due to lack of human resources.
Development direction of the topic
Continue to explore and develop the project in the direction of adding more vulnerabilities