Report of 4th it base project topic building a website with top 10 owasp vulnerabilities

Open source software has been and iscontributing significantly to the development of modern technology, withadvantages of transparency, flexibility and a large support community.However,

VIET NAM – KOREA UNIVERSITY OF INFORMATION AND COMMUNICATION TECHNOLOGY FACULTY OF COMPUTER AND ELECTRONIC

ENGINEERING

REPORT OF 4th IT BASE PROJECT

Da Nang, November 2024

VIET NAM – KOREA UNIVERSITY OF INFORMATION AND COMMUNICATION TECHNOLOGY FACULTY OF COMPUTER AND ELECTRONIC

ENGINEERING

REPORT OF 4th IT BASE PROJECT

Topic:

BUILDING A WEBSITE WITH TOP 10 OWASP VULNERABILITIES

Student : NGUYEN VIET KHANG – 22NS028

Instructor: PhD NGUYEN HUU NHAT MINH

Class : 4th IT Base Project

In the process of studying and learning for the 4th IT Base Project , irealized that network security and web security are indispensable factors whendeveloping and operating online systems Open source software has been and iscontributing significantly to the development of modern technology, withadvantages of transparency, flexibility and a large support community.However, security vulnerabilities can also appear if not detected and fixedpromptly, especially in the context of website development

This report is designed to understand how to build a website that containssecurity vulnerabilities listed in the OWASP Top 10, and to further researchhow these vulnerabilities can be exploited and how they affect the system.Through this research, I hope to have a more comprehensive view of security in

an open source environment, as well as grasp effective system protectionmethods

During the process of implementing and completing this project, i havereceived very enthusiastic and useful help and guidance from the teacher of theFaculty of Computer and Electronics Engineering, Vietnam - Korea University

of Information Technology and Communications I would like to express mysincere thanks to the teacher who have provided me with valuable knowledge,information, documents and guidance during the project In particular, i wouldlike to thank Mr Nguyen Huu Nhat Minh - who directly guided me during theimplementation of this project

However, due to limitations in time, knowledge and practical experience,the topic is inevitably flawed I look forward to receiving sympathy fromteachers and welcome comments, assessments and feedback from teachers andstudents so that i can continue to improve and develop in future research andimplementation projects

Once again, i would like to express my sincere thanks to Mr Nguyen HuuNhat Minh , who have supported and helped me throughout the process ofimplementing this project

INSTRUCTOR COMMENTS

….……….…

………

………

………

………

………

… ………

………

………

………

………

………

………

………

………

………

………

………

………

………

………

………

………

………

Instructor

CHAPTER I OVERVIEW OF THE TOPIC 21.1 Information about the topic 21.1.1 Introduce the topic and reasons for choosing the topic 21.1.2 Objectives, meaning and subjects of the topic 21.1.3 Meaning of the topic: 31.2 Technologies used in the topic 31.2.1 Oracle VM Virtual Box 3

2.2 Project implementation 14

2.2.1 Usecase diagram 14 2.2.2 Database 17 CHAPTER III IMAGES AND PROJECT ACHIEVEMENTS 22

3.1 Website images 22

3.1.1 Normal user side 22 3.1.2 Administrator side 26 3.2 Vulnerabilities have been added to the site 27

3.2.1 Broken Access Control and Misconfiguration 27 3.2.2 Authentication Failures 28 3.2.3 SQL Injection 29 3.2.4 XSS 30 3.2.5 Path Traversal 31 3.2.6 Cryptographic Failures 32 CHAPTER IV CONCLUSION AND DEVELOPMENT DIRECTION 33

4.1 Results achieved: 33

4.2 Unfinished business: 33

4.3 Advantages and disadvantages of the topic: 33

4.4 Development direction of the topic: 33

REFERENCES 34

PHOTO LIST

Figure 1.2.1 VM Virtual Box 3

Figure 1.2.2 BurpSuite 4

Figure 1.2.3 JS 4

Figure 1.2.4 Bootsrap5 5

Figure 1.2.5 Nodejs 6

Figure 1.2.6 EJS 6

Figure 1.2.7 Express 7

Figure 1.2.8 MySQL 8

Figure 1.2.9 Github 9

Figure 1.2.10 Swagger 10

Figure 1.2.11 Vmware player 11

Figure 2.1.1 Project structure 12

Figure 2.2.1 Use-case diagram 14

Figure 2.2.2 User_table 18

Figure 2.2.3 Food 18

Figure 2.2.4 Cart 19

Figure 2.2.5 Type of food 19

Figure 2.2.6 general_info_order 20

Figure 2.2.7 order detail 20

Figure 2.2.8 comments 21

Figure 2.2.9 database 21

Figure 3.1.1 Login interface 22

Figure 3.1.2 Registration interface 22

Figure 3.1.3 Home page interface 23

Figure 3.1.4 Introduction interface 23

Figure 3.1.5 Menu Interface 24

Figure 3.1.6 Contact interface 25

Figure 3.1.7 Food description interface 25

Figure 3.1.8 Shopping cart and payment interface for multiple dishes 26

Figure 3.2.2 Cookies 28

Figure 3.2.3 Decoding 28

Figure 3.2.4 Encoding 28

Figure 3.2.5 Access with admin rights 28

Figure 3.2.6 No attack payload yet 29

Figure 3.2.7 With attack payload 29

Figure 3.2.8 Malicious string insertion 30

Figure 3.2.9 Successful attack 30

Figure 3.2.10 Source path 31

Figure 3.2.11 Changing parameters 31

Figure 3.2.12 Encoding cookies with base64 32

Figure 3.2.13 Do not encrypt user passwords 32

LIST OF ABBREVIATIONS

STT Symbol Full text

1 HTML Hypertext Markup Language

2 CSS Cascading Style Sheets

3 JS JavaScript

4 EJS Embedded JavaScript

5 SCSS Sassy Cascading Style Sheets

6 API Application programming interface

CHAPTER I OVERVIEW OF THE TOPIC

1.1 Information about the topic

1.1.1 Introduce the topic and reasons for choosing the topic

Topic introduction:

This topic focuses on detecting and describing common securityvulnerabilities in the OWASP list, including SQL Injection, XSS (Cross-SiteScripting), Path traversal, Broken Access Control, Misconfiguration,Cryptographic Failures, and Authentication Failures These are allvulnerabilities that are frequently exploited by hackers to gain control or stealsensitive information from web systems, causing serious consequences for usersecurity and privacy

Reason for choosing the topic: I chose to study these vulnerabilities

because they are very common and have a profound impact on all web systems.Whether large or small businesses, organizations are still at risk of beingattacked if they do not implement appropriate security measures Moreover,understanding the operating mechanism and how to prevent these vulnerabilitieshelps us have a solid foundation of knowledge about web application securityand create safer products in the future

1.1.2 Objectives, meaning and subjects of the topic

Objective of the topic:

- Raise awareness of three common security vulnerabilities and their

exploitation mechanisms

- Deep analysis of how these vulnerabilities are implemented in real

environments

- Provides prevention methods for each vulnerability, helping to develop

more secure systems

- Build a website that simulates vulnerabilities to provide a realistic

environment for developers and security researchers to learn and practice

1.1.3 Meaning of the topic:

This topic not only helps protect the system from external threats but alsocontributes to raising public awareness of information security Whendevelopers are clearly aware of vulnerabilities and how to prevent them, theywill contribute to minimizing attacks, better protecting user information andminimizing security risks for businesses

1.2 Technologies used in the topic

1.2.1 Oracle VM Virtual Box

Figure 1.2.1 VM Virtual Box

Concept: Oracle VM VirtualBox is an open source virtualization software

that allows the creation and management of virtual machines on personalcomputers It provides an environment to run multiple operating systems on thesame physical machine without the need for direct installation In this project,VirtualBox helps create an isolated test environment for website deployment,making it easy to test OWASP security vulnerabilities and analyze applicationperformance without affecting the actual production environment

Uses: VirtualBox helps create a separate virtual environment on the

computer, allowing for safe deployment and testing of websites withoutaffecting the main system You can set up and test many differentconfigurations, easily re-initialize the environment when necessary, and quicklydetect vulnerabilities without risking the actual system

a variety of features, including proxies, automated and manual scanning, andtools to test, exploit, and remediate security vulnerabilities on your website.

Uses: Burp Suite is an important tool for detecting and testing website

security vulnerabilities It acts as a proxy, helping you monitor and modifyHTTP requests and responses between the browser and the server Burp Suitealso has an automatic vulnerability detection feature, allowing you to find andexploit security vulnerabilities such as XSS, SQL Injection, helping youimprove the security level of your web application

1.2.3 JS

Figure 1.2.3 JS

Concept: A client-side programming language used to interact with and

change content on a web page JS allows for dynamic actions such as validatingdata, dynamically changing content, handling events, and interacting with users

Uses: JavaScript is used to make web pages interactive and dynamic It

allows adding effects, changing content based on user behavior, validating input,and interacting with APIs to get and send data from the server

1.2.4 Bootstrap 5

Figure 1.2.4 Bootsrap5

Concept: It is a popular and powerful CSS framework, used to build

responsive and mobile-friendly web interfaces

Uses: Provides a set of tools and CSS classes for building web interfaces

quickly and easily It provides interface components such as buttons, forms,tables, navigation bars, etc that are pre-designed and compatible across variousdevices and browsers

Bootstrap 5 uses a flexible grid system (flexbox) to layout and arrangeelements on the page It also provides CSS classes and JavaScript components toimplement effects, interactions, and custom features

With Bootstrap 5, we can quickly build professional web interfaces,compatible on many devices and save time in the development process

1.2.5 Nodejs

Figure 1.2.5 Nodejs

Concept: A server-side JavaScript runtime environment that allows

JavaScript code to be executed not only on the browser but also on the server.Node.js uses JavaScript to build web applications and server-side applications

Uses: The main use of Node.js is to build server-side web applications.

With Node.js, you can build dynamic web applications, real-time applications,APIs, and other network applications Node.js provides asynchronousmultithreading capabilities, allowing you to handle multiple requests at the sametime without slowing down the application's performance

Node.js also allows the use of libraries and modules created by theJavaScript community through npm (Node Package Manager) This helps reuseopen source code and speeds up the application development process

1.2.6 EJS

Figure 1.2.6 EJS

Concept: A template language for Node.js It allows dynamic HTML

templates to be created by embedding JavaScript code into HTML EJS helpsseparate logic and interface in web applications, allowing for easy reuse andmanagement of web page interface components

Uses: The main use of EJS is to separate logic and interface in web

applications Using EJS, it is possible to create reusable and easily manageableHTML templates EJS allows JavaScript code to be inserted into HTMLtemplates to create dynamic, repeating, conditional content and data charts.With EJS, you can pass data from the server into your HTML template anduse JavaScript expressions to manipulate that data during rendering This allowsyou to create dynamic web pages that interact with data from the server

1.2.7 Expressjs

Figure 1.2.7 Express

Concept: A powerful and flexible Node.js web application framework It

provides tools and features for building server-side web applications quickly andeasily Express allows for handling HTTP requests, managing routing, handlingmiddleware, creating APIs, and much more

Uses: Handles HTTP requests, manages routing, handles middleware, and

creates APIs With Express, you can build dynamic web applications, real-timeapplications, and RESTful APIs

Express helps create routes to determine how to handle requests from theclient side and create middleware to perform intermediate processing functions

1.2.8 MySQL

Figure 1.2.8 MySQL

MySQL is an open source relational database management system that

uses the SQL language to manage and query data It was developed by Oracleand is commonly used in web applications, especially on open source platformssuch as Linux

Uses of MySQL:

- Data Management: Store, query, and manage information efficiently

- Web application support: Commonly used in developing dynamic websitesand content management systems

- Big Data Processing: Manage and process large amounts of data with highperformance

- Security: Provides strong security mechanisms for the database

- High compatibility: Works on multiple operating systems and programminglanguages

1.2.9 Github

Figure 1.2.9 Github

GitHub is a source code hosting and project management platform for

software development It provides tools and features for developing, managing,and sharing project source code

GitHub's key features include:

- Source code hosting : GitHub allows you to create repositories to store yourproject's source code You can upload, branch, and manage versions of thesource code

- Project Management : GitHub provides tools to manage and track projectprogress You can create and assign issues, track and label issues, and trackchanges through a version control system

- Collaboration : GitHub allows multiple people to work on the same project.You can invite members to your project, manage access, and view andreview proposed changes via pull requests

- Share and discover : GitHub is a large community of software developers.You can share public source code, search and discover other projects, and

1.2.10 Swagger

Figure 1.2.10 Swagger

Swagger is essentially an ecosystem of tools and standards, with the most

popular standard data format being the OpenAPI Specification (OAS) OpenAPI

is a RESTful API description standard that allows defining API endpoints,HTTP methods, parameters, and responses

Swagger provides a powerful set of tools for various stages of APIdevelopment, including:

- Automatic API documentation: Swagger can automatically generate APIdocumentation by reading annotations in the source code or based onOpenAPI configuration files Users can view this documentation in webform and it is more intuitive than writing documentation manually

- Visual API Testing Interface: Swagger UI is a tool that provides a webinterface that makes it easy for users to interact with and test APIs Userscan enter parameters, call endpoints, and view the results directly on thisinterface

- Automatic source code generation and client SDK: Swagger Codegen allowsautomatic generation of source code for API clients (SDKs) in manydifferent programming languages, saving time and reducing the risk of errorswhen developing API clients

- Easy to share and understand API: Swagger helps stakeholders (likebackend, frontend, QA) have a detailed and easy-to-read APIdocumentation, which improves communication and collaboration betweenteams

1.2.11 Vmware player

Figure 1.2.11 Vmware player

VMware Player is a free virtualization software developed by VMware

that allows users to run virtual machines on Windows or Linux operatingsystems It helps create, configure, and manage virtual machines, simulatinghardware environments without requiring additional physical equipment.VMware Player supports many different operating systems, allowing users toinstall and run other operating systems on the same physical computer

VMware Player allows users to run multiple operating systems on the

same computer without the need for complicated partitioning or boot systems Itprovides a safe testing environment for installing and testing software, patches,

or system configurations without affecting the main operating system Foreducation and research, VMware Player is a useful tool for students andresearchers who want to experiment with new operating systems andtechnologies without additional hardware

CHAPTER II PROJECT SYSTEM STRUCTURE AND

2.1.2 Assets

This folder contains static resources such as CSS, JavaScript, images, andother interface support files This folder helps separate static resources from thesource code, making it easier to manage and increasing page loading speed

2.1.3 Controller

This folder contains controller files in the MVC (Model-View-Controller)model The controller is the intermediate layer between the model and the view,responsible for handling requests from users, manipulating data and returningappropriate results to the user