Reference no: EM131446984

Project title: Designing a secure online data store

Objective: The project consists in designing a secure online data store.

Requirements:

To achieve the above-mentioned goal, you will need to do the following tasks:
1. Risk analysis: which consists of asset evaluations, threat modeling, and vulnerability analysis.
2. Security requirement specification.
3. Design the security policies.
4. Select the security solutions that satisfy the security requirements of the system.The project consists of 3 separate subprojects; all subprojects must be carried out by each student. It is recommended to start working on the subprojects as soon as possible.

Part I: Basic Hacking

The goal of this subproject is to get you acquainted with basic hacking techniques. The project consists of a simple hacking game available at https://www.try2hack.lt/en/

Visit the site and progressively advance to at least level 10 (2% will be given for each level completed successfully, which means to obtain the full mark you need to find out the correct credentials to move from level 9 to level 10).

Prepare a short report documenting your actions/steps and corresponding solutions. Indicate explicitly the credentials or links used to move between steps; make an adequate use of screenshots.

Part II: Web Application Vulnerability Assessment

The Insecure Web App is an open source database driven J2EE web application released through the Open Web Application Security Project (OWASP) (https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project). It contains a variety of vulnerabilities including SQL injection, XSS, Parameter tampering, and broken authorization and authentication, to name a few.
The purpose of this subproject is to conduct vulnerability assessment of the Insecure Web App.
Before starting, you need to install the insecure Web App. The instructions to install the app on Kali are given in the appendix below.

After launching the application (using a web browser), click on the link ‘Instructions' to access the guidelines and application overview.
The ‘Application Overview' section provides a brief description of the different use cases underlying the application and lists different challenge questions in terms of vulnerability assessment.

For this subproject, you are required to answer only one challenge, which is the following:

1. Challenge # 3: Forceful Browsing and Parameter Tampering

Part III: Mitigation (12%)
In Labs 3 and 4, you conducted initial penetration testing steps against the lab network. You uncovered vulnerable services in this network, and gain access to one of the machines by exploiting some of the vulnerabilities. The goal of this subproject is to address the vulnerabilities by proposing mitigation solutions.

Choose one of the vulnerabilities found in Lab 4, and propose and implement a mitigation strategy to remediate the corresponding vulnerability.

For example, a vulnerability that might be a threat is the use of telnet protocol to connect to a remote server over the Internet.
The solution for this threat is to prevent/block incoming/outgoing telnet traffic, by writing some IPTables rules, as follows:

iptables -A INPUT -p tcp --dport telnet -j REJECT
iptables -A OUTPUT -p tcp --dport telnet -j REJECT

Note: it is important when you choose your mitigation techniques to make sure that they are feasible.

NOTE:

• The choice of the data store to be designed is flexible, meaning that you can choose by your own. For example, (1) a simplistic online bookstore that allows customers to search and purchase a book based on title, author, subject and ISBN, (2) a simplistic online sale and purchase E-Commerce tool, etc. You should be explicit on the type of chosen data store and its content, by indicating what it allows the customers to do.

• In all the mentioned requirement steps, be precise in your analysis and description of your proposed solutions. Vague, ambiguous, or unjustified claims, will contribute to affect negatively the quality of your project outcome.

Attachment:- Final Project.rar