Development of a Secure Website to Resist Cross-Site Scripting, SQL Injection, Authentication Bypass and Session Fixation Web Application Security Vulnerabilities

Teo, Kim Guan (2017) Development of a Secure Website to Resist Cross-Site Scripting, SQL Injection, Authentication Bypass and Session Fixation Web Application Security Vulnerabilities. Final Year Project (Bachelor), Tunku Abdul Rahman University College.

Text Teo Kim Guan_FULL TEXT.pdf Restricted to Registered users only Download (2MB)

Abstract

Purpose : In partial fulfilment of the requirement of Bachelor of Information Technology (Hons) in Information Security, I required to propose and complete this final year project. This project was aim to develop a secure online shopping website to protect users from cross-site scripting (XSS), SQL injection, authentication bypass and session fixation vulnerabilities. Scope : This secure online shopping website contains many modules and sub-modules such as member registration, product maintenance, shopping cart, checkout the product, trace the order status and the others. For security features and functions, it’s had included account lockout, account session timeout and auto logout, password encryption, client and server side authentication, strong session identifier and so on. Methodology : This project was using Security Software Development Life Cycle (SecSDLC) methodology throughout the development process. SecSDLC had involved the security functional requirements in all stages such as vulnerability assessment. This can help to ensure the web application is secure and free from targeted security vulnerabilities in this project.. Development phases : This project had involved many phases such as identify functional and non-functional requirements, design security requirement, architecture and design reviews, best practice coding, vulnerabilities assessment and so on. Assessment criteria used : This project will using BurpSuite software to intercept the data traffic between users and servers to fix the session to bypass the authentication. Besides that, BurpSuite also used to analyse the session prediction to identify how easy to predict the session identifier. Results : The results shown that it’s successful prevent the attacker to bypass the authentication and fix the session through the intercepting. The session prediction analysis result also shows that the session ID is very hard to predict. Conclusions and Recommendations : This web application was secure and success from preventing cross-site scripting, SQL injection, authentication bypass and session fixation web application vulnerabilities. This project helped me to understand more about the web vulnerabilities including how its work and also learn how should protect it by using different countermeasures