logo

Ecommerce and Governance Security

Solve assigned puzzle using web application exploitation techniques, provide screenshots, and write a report discussing vulnerabilities and solutions.

8 Pages1575 Words493 Views
   

Added on  2022-11-13

About This Document

This report discusses the vulnerabilities in an online banking web application and how to fix them. It covers topics such as CSRF, SQL injection, session management, and more. The report also provides recommendations for improving the security of the website. Desklib provides solved assignments, essays, and dissertations for students.

Ecommerce and Governance Security

Solve assigned puzzle using web application exploitation techniques, provide screenshots, and write a report discussing vulnerabilities and solutions.

   Added on 2022-11-13

ShareRelated Documents
Ecommerce and Governance Security
NAME:
COURSE:
QUESTION:
First, solve your assigned puzzle (Puzzle B112) using web application
exploitation techniques, provide screenshots, then write a report and discuss specifically
what type of mistake or overlook in codes, design or implementation has led to
successful exploitation. Research those existing vulnerabilities and explain what needs
to be changed to fix the problem. The report can be between 1000 to 1500 words. The
puzzles are on https://puzzle.academy
1
Ecommerce and Governance Security_1
Ecommerce and Governance Security
Solution to the puzzle
The money was transferred through Cross Site Request Forgery ( CSRF). The browser
William was using was fooled by an attackers 3rd party website which sent a request to
thttps://moonyland.com/banking/account.php using William’s cookie. He had login to one tab
on the home page which is https://moonyland.com/banking/index.php and the other tab which
is the account.php made the browser misuse its cookies on behalf of the hacker thus causing a
confused deputy problem. The site allows alteration of HTTP GET requests which are unsafe
thus allows alteration of the resource that is accessed. This can be prevented by implementing
secret tokens and storing then in hidden form fields that cannot be accessed by a 3rd party
site.
Application Vulnerabilities
Firstly, the design makes the account vulnerable. Especially, where Williams details are Kept
openly. See the screenshot
This vulnerability of exposing the account details of william especially the card number thus
puts the account vulnerable to credential stealing attack (CSA), whereby the fraudsters can
gather users’ credentials through shoulder surfing and one can wipe out the account as the
card number and the account details are clearly exposed. This can be prevented by putting a
screen protector on your computer to make your screens obscure. Also, locking the computer
screen after a shorter period of inactivity to safeguard it especially when you leave your desk
or your laptop/tablet in a public place.
2
Ecommerce and Governance Security_2
Ecommerce and Governance Security
The site is missing security headers which is responsible for protection against attacks. The
missing security headers include: X-XSS protection against a certain cross-site-scripting
(XSS) attacks which can be enabled by adding X-XSS-Protection: 1; mode=block to the site.
The other missing security header is the X-Content-Type:nosniff exposes the user to a given
type of drive-by-downloads that results in unintentional download of malicious code to a
device that leaves it exposed to cyberattack and also phishing. Internet Explorer browser is
normally the one addressed to with this type of attack. Enabling this will improve the security
of the site and the user against this attack as it will instruct the browser to stop loading web
pages when it detects any Cross-Site Scripting attacks.
The anti-clickjacking X-Frame-Options header is not present, this exposed the user to
Clickjacking as the attacker will utilize many transparent tricks that will trick the user mouse
clicks. The attacker will ‘hijack’ clicks meant for this page and rout them to a malicious
page. This can be done on a button which can result to the user for example, subscribing to a
newsletter without his/her consent. Keystrokes can also be hijacked and a user can be made
to believe they are typing their email or bank account which instead they are inputting their
details to an invisible frame put there by the attacker to collect their details. X-Frame-options
should be added to every page of the website.
3
Ecommerce and Governance Security_3

End of preview

Want to access all the pages? Upload your documents or become a member.

Related Documents
Software Security Assignment
|5
|999
|61

Cross Site Scripting attacks take place when a specific untrusted
|4
|770
|349

Ways of Attacking a Web Application in PHP: SQL Injection, XSS, Session Hijacking, Directory Traversal, and Remote File Inclusion
|9
|1493
|176

Contemporary World Application 2022
|10
|541
|10

Assignment on Oracle Virtual Machine Installation
|16
|1480
|225

System Security: Data Breach Attack on eBay and WannaCry Ransomware Attack
|8
|1892
|123