This project aims to improve security of Web application using Vue for frontend environments and Spring Boot for backend.
- Secure version of web app after removing OWASP Top 10 Vulnerabilities
- 2 Security Test Spreadsheets (after testing on insecure and secure versions of web app)
- Walkthrough Document
- Slides to be shared with coworkers
- Insecure ID Vul
- Path Traversal Vul
- File Permission Vul
- Apply gobuster to the server to see what file and directory are subject to the eyes of outer world. The wordlist is located in https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/spring-boot.txt
- Traverse the list of contents on the URL bar based on three roles, not-login, login user and admin.
- The goal is to get the file permission of access to credential files in the server.
- Lack of HTTPS
- Man in the Middle Attack
- Apply Man in the Middle Attack to see how serious the lack of Encryption
- Use HTTPS
- Encrypt passwords stored in DB with salt
- SQL Injection
- Apply SQL Injection on the target and see what record can be extracted from DB
- Modify Java code so it prevents SQL Injection
- Review the config files of Backend Environment(Postgres and Spring Boot)
- Check if any error message is accessible to users
- Review the components of Frontend and Backend
- Write Batch Processing file for updating the components
- Implement Multi-factor Authentication
- Review Password Policy (NIST Guideline)
- Session Management by Time