Skip to content

Latest commit

 

History

History
84 lines (72 loc) · 7.83 KB

Project_Proposal.md

File metadata and controls

84 lines (72 loc) · 7.83 KB

Super Secure Login Page

Scandinavian Defense Team (WebSecurity):

I. Introduction

  • Our goal is to create a custom website that contains a login page with vulnerabilities to be exploited and secured. We'll use pentesting tools and methods to break into the web page. Examples of common vluns we intend to exploit include SQL Injections and Cross Site Scripting (XSS). Our motivation for this project is our desire to learn and implement proper web security methods in order to create a functional, safe, and low-cost website.
  • There are similar projects to ours already available such as OWASP Juice Shop and TryHackMe. This website will be different in that it is made by beginners, for beginners. Certain platforms, although very useful to motivated learners, can be quite intimidating to newbies. Our solution intends to be much more simple and geared towards those with zero previous knowledge or experience.
  • Alex and Blake are new to web develoment, whereas Blake and Jacob are somewhat aquantied with cybersecurity. Web app pentesting is something we do not know much about, and hope to learn a lot during the course of this project. Alex and Blake intend to work mostly with the cyber side of this project. Jacob may serve as a bridge between website development and pentesting, while also working primarily on front-end development.

II. Customer Value

  • Cybersecurity is in high-demand across the world as lots of sensitive data is stored through online servers. The idea is not novel in the market. Properly secured websites use a variety of tools to achieve security, such as antivirus software to handle suspicious file uploads, hashing of sensitive information such as passwords, and monitoring of IP addresses for repeated malicious activity.

III. Proposed Solution & Technology

Customer Need

  • Primary customer is someone seeking either creation of a secure static website or to improve security on an existing website. The customer wants to minimize vulnerabilities to prevent malicious attacks on their domain. Cyber threats are on the rise and websites are targeted for valuable user data or other sensitive information. Websites often seek out contractors to perform tests on their website to identify vulnerabilities. These specialists also need to become familiar with common attacks, how to execute them, and how to defend against them.

Proposed Solution

  • Our solution will deliver a series of gradual tests and additional tooling/development which should be portable enough for redeployment for other potential customers. While our solution does not provide new capabilities, the methods we employ aim to be simple and quick to implement while still being robust. We have not tested the idea on anyone.

Measures of Success

  • We will gauge the customer’s measure of our success based on feedback following extensive pentesting to ensure their website is as secure as possible. Metrics such as timeliness, effectiveness, and professionalism are all critical.

System

  • This website will utilize current libraries and security protocols in an attempt to create the most secure website possible. Other possible avenues include: marketing this website as an example of our services and creating a playground for individuals interested in web app pentesting. A minimal system that a customer might desire would need: homepage, secure login, user accounts, and other basic website requirements. Possible enhancements include: on-call IT support, custom dashboard to quickly modify website, and expansions to the page (like a shop or about me section).
  • Our system will be tested using the tools mentioned below and relevant penetration testing methods. Any flaws we find in our efforts will be documented and remedied. Thorough in-house testing is required before we can claim this website is secure.

Tools

  • Website development will be conducted with typical tools such as HTML, JavaScript and CSS. Web frameworks such as Bootstrap may be utilized. For penetration testing we plan on using the tools available on Kali Linux, such as Burp Suite, Wireshark and sqlmap.

IV. Team

  • The Scandinavian Defense Team name is influenced by one of the famous chess strategies where black's pawn meets the white pawn in the middle and opens a lot of opportunities for the defending side. To be honest, we also initially thought it was just a cool name. Our team has a great interest in getting into web development and cybersecurity, but this project will most certainly be a learning experience for us all.

Team Members

  • Alex Brock has a technical background including game scripting, bash tooling and linux environment, and failed attempts at SQL Injections. He hopes to improve his experience in web development and cybersecurity with this project. Also plays a mean guitar.
  • Blake Childress has some experience with scripting languages like Bash and Python and is familiar with the Kali enviroment. He hopes to sharpen his skills in web security and better acquaint himself in pentesting tools.
  • Jacob Leonard has some experience in HTML/CSS/JavaScript, but hopes to strengthen these skills even more by contributing to this project. He hopes to learn how web development and cybersecurity intertwine and how these two categories can be optimized for a more secure website.

V. Project Management

  • The team has two divisions: Web Development Team & Cybersecurity Team. Jacob will focus on designing the website while Alex and Blake will focus on finding exploits and solutions. All team members will work with both divisions, but our focuses are split in order to progress efficiently.

Constraints

  • Pentesting may only be conducted on applications that you have permission to test. Therefore, we should be in the green for working with our own website. However, it is smart to use a virtual machine and work locally if possible, due to possible ISP flags. There are no direct ethical or social concerns, although insecure websites should be seen as a threat to ethics.

Resources

  • All of the resources we need can be found publically using any search engine. Although YouTube likes to suppress “hacking” channels, we can still access them with clear search terms. Guides and blogs will also be a great help.

Descoping

  • The website should attain basic functionality very quickly. Any lost features would come in the form of not being able to address security issues in a timely manner. Although important, other things such as making the website more presentable and adding non-vital features may have to be sacrificed if time does not allow. Even so, the reduced form of our project will still serve in aiding our learning into web applications and pentesting while also delivering a basic secure website.

Block Diagram

Schedule

Week 1 (Feb. 8-12)

  • Complete Project Proposal Draft (Feb 11th)
  • Create GitHub Pages website

Week 2 (Feb. 15-19)

  • Revise Project Proposal (Feb. 18th)
  • Conduct research
  • Begin working on website

Week 3 (Feb. 22-26)

  • Construct website w/ basic functionality
  • Continue research
  • Conduct basic pentesting if possible

Week 4 (March 1-5)

  • Implement minimal viable system
  • Submit 1st status report (March 4th)

Week 5 (March 8-12)

  • Add functionality to website
  • Improve security

Week 6 (March 15-19)

  • Submit 2nd status report (March 18th)

Week 7 (March 22-26)

  • Add functionality to website
  • Improve security

Week 8 (March 29-April 2)

  • Submit 3rd status report (April 1st)

Week 9 (April 5-9)

  • Add functionality to website
  • Improve security

Week 10 (April 12-16)

  • Complete project implementation
  • Submit project report & present final result (April 15th)