Vulnerability Testing for E-commerce Website using Metasploit
Added on 2022-12-16
10 Pages2032 Words115 Views
Introduction:
Website assaults are exceptionally normal these days, and are brought about by interruption in the
system framework in which the assailant initially break down system condition and after that gather
data from in order to abuse the vulnerabilities as well as open ports. Metasploit, Hydra, Nmap,
Wireshark, Burpsuite are the some of the legitimate hacking tools or we can say that stages that are
utilized for testing these vulnerabilities as well as open ports in the system, to fix them and to
anticipate those assaults in future. The use of one of these tools would be examined in this report.
Background of company:
Mr. Gromer has a chain of clothing hops for women in Australia. There are more than 50 clothing
shops in Melbourne and Sydney that has clothes for females that are in their early twenties. To
expand their business further Mr. Gromer decided to move to online selling platform to increase his
profit and to be competitive in the market as most of the clothing chains are now available on the e-
commerce websites. Mr. Gromer has developed their own website with the help of developers
across overseas and his website is about to launch in a week. However, Mr Gromer is aware of the
security breaches are that are ongoing on the e-commerce websites and is afraid of one to be carried
out on his own website as well. Now, he wants to assess his websites for potential vulnerabilities
that can result an attack on his website. As a result he has hired IT engineer to perform assessment
on his website.
Purpose:
The purpose of the report is to perform vulnerability testing for Mr. Gromer's e-commerce website
to identify if there are chances of security breach at their website. The website is using
WooCommerce plugin and runs on Linux webserver. As a part of the testing, the tool used here is
metasploit, the details of the tool, and its features would be discussed in this report. The report
would also show evidence of testing on the website using metasploit tool to assess its security
vulnerabilities.
Penetration testing tools and technologies to be used
The main focus of the report is to analyse the use of metasploit framework for vulnerability testing
trailed by exhibition of tasks performed utilizing this tool on the e-commerce website. We would
additionally analyse the highlights of an additional tool namely hydra and compare both the tools
based on contextual analysis. The following are the details of the tools:
Metasploit: For the improvement as well as execution of website this is maybe the best tool. Its
productivity lies in its design where exploitation should be possible with encoders, payloads and no-
operation generators. In this penetration kids many modules and several endeavours are week after
week refreshed.
Hydra: THC hydra is the most appropriate tools to apply savage power on a given remote
validation service. This tools is dependable, adjustable and quick enough and can hack thirty or
more protocols [2].
Potential risks and threats to the e-Commerce website and
their web server.
The online payment system and shopping websites are always a target of malicious users. The
impact of the attacks can be of great impact on the website as well as shoppers, because of the
financial nature of this websites. The reason this type of threats arise is due to the vulnerabilities in
the website that are most of the time overseen by the developers in an attempt to either meet the
deadlines or lack of secure programming techniques adopted by the programmers. Below are some
of the most common security threats to the e-commerce website, as discussed in [3]:
Website assaults are exceptionally normal these days, and are brought about by interruption in the
system framework in which the assailant initially break down system condition and after that gather
data from in order to abuse the vulnerabilities as well as open ports. Metasploit, Hydra, Nmap,
Wireshark, Burpsuite are the some of the legitimate hacking tools or we can say that stages that are
utilized for testing these vulnerabilities as well as open ports in the system, to fix them and to
anticipate those assaults in future. The use of one of these tools would be examined in this report.
Background of company:
Mr. Gromer has a chain of clothing hops for women in Australia. There are more than 50 clothing
shops in Melbourne and Sydney that has clothes for females that are in their early twenties. To
expand their business further Mr. Gromer decided to move to online selling platform to increase his
profit and to be competitive in the market as most of the clothing chains are now available on the e-
commerce websites. Mr. Gromer has developed their own website with the help of developers
across overseas and his website is about to launch in a week. However, Mr Gromer is aware of the
security breaches are that are ongoing on the e-commerce websites and is afraid of one to be carried
out on his own website as well. Now, he wants to assess his websites for potential vulnerabilities
that can result an attack on his website. As a result he has hired IT engineer to perform assessment
on his website.
Purpose:
The purpose of the report is to perform vulnerability testing for Mr. Gromer's e-commerce website
to identify if there are chances of security breach at their website. The website is using
WooCommerce plugin and runs on Linux webserver. As a part of the testing, the tool used here is
metasploit, the details of the tool, and its features would be discussed in this report. The report
would also show evidence of testing on the website using metasploit tool to assess its security
vulnerabilities.
Penetration testing tools and technologies to be used
The main focus of the report is to analyse the use of metasploit framework for vulnerability testing
trailed by exhibition of tasks performed utilizing this tool on the e-commerce website. We would
additionally analyse the highlights of an additional tool namely hydra and compare both the tools
based on contextual analysis. The following are the details of the tools:
Metasploit: For the improvement as well as execution of website this is maybe the best tool. Its
productivity lies in its design where exploitation should be possible with encoders, payloads and no-
operation generators. In this penetration kids many modules and several endeavours are week after
week refreshed.
Hydra: THC hydra is the most appropriate tools to apply savage power on a given remote
validation service. This tools is dependable, adjustable and quick enough and can hack thirty or
more protocols [2].
Potential risks and threats to the e-Commerce website and
their web server.
The online payment system and shopping websites are always a target of malicious users. The
impact of the attacks can be of great impact on the website as well as shoppers, because of the
financial nature of this websites. The reason this type of threats arise is due to the vulnerabilities in
the website that are most of the time overseen by the developers in an attempt to either meet the
deadlines or lack of secure programming techniques adopted by the programmers. Below are some
of the most common security threats to the e-commerce website, as discussed in [3]:
1. Phishing Attack:
This are the attacks carried out by malicious hackers that sends legitimate looking messages and
email to the employees of the website. This messages contains links that has malicious content
which are installed as soon as they click on the link. This malicious content or malware can allow
access to the hacker into the administrative areas of the system and perform malicious activities.
2. Distributed Denial of Service or DDoS Attacks:
Dos or DDoS attacks targets the server of the website by sending them bogus messages or IP
request and overwhelm the server. These request are corrupted in itself and request the website
again and again overloading the server and taking the website completely down or temporarily
unavailable to the legitimate users. This attack makes huge loss to the e-commerce website due to
its unavailability to the customers.
3. Man in the Middle Attacks
This attack involves listening to the communication between the user and website in attempt to
capture or intercept important information. This type of attack is carried out if the network does not
have sufficient security in place for example using any public wi-fi for accessing the website, which
tricks the user to connect to the vulnerable network that is accessed by the hacker. If there is no
connection between the user and the website this type of attack takes place and the hacker can
intercept into the information such as credit card number, username and password of the user.
4. Malware:
This are the malicious software that are entered into the website by the attackers as soon as they get
access to the site. This malware can be inserted directly into the system through a SQL injection.
This malicious content or malware can allow access to the hacker into the administrative areas of
the system and perform malicious activities.
Description of tools and technologies
Metasploit:
This framework is utilized for penetration testing, exploiting improvement, dynamic abuse,
Fuzzing, performing customer side assault by making vindictive payloads and numerous other
testing that could be envisioned by the analyser. In addition, working framework patches can
likewise be confirmed by this tools are connected by the server and system overseers.
Hydra:
As contrasted and Metasploit, the focal point of Hydra is fundamentally on splitting login subtleties
and utilized by the penetration analysers and the aggressors vigorously for doing likewise. It varies
from Metasploit in the way that it bolsters various protocols and gives dependable outcomes. The
tool as of now underpins for splitting login subtleties of in excess of thirty protocols and
applications alike. A portion of the protocols that are bolstered by Hydra are Simple Mail Transfer
Protocol, Post Office Protocol 3, SMB, Cisco telnet, Microsoft Structured Query Language
(MSSQL), HTTP, and MySQL [5].
Other case episode of penetration testing usages
The task using Metasploit framework would be progressed in the following manner
First we have started the PostgreSQL and Metasploit as seen in the figure
This are the attacks carried out by malicious hackers that sends legitimate looking messages and
email to the employees of the website. This messages contains links that has malicious content
which are installed as soon as they click on the link. This malicious content or malware can allow
access to the hacker into the administrative areas of the system and perform malicious activities.
2. Distributed Denial of Service or DDoS Attacks:
Dos or DDoS attacks targets the server of the website by sending them bogus messages or IP
request and overwhelm the server. These request are corrupted in itself and request the website
again and again overloading the server and taking the website completely down or temporarily
unavailable to the legitimate users. This attack makes huge loss to the e-commerce website due to
its unavailability to the customers.
3. Man in the Middle Attacks
This attack involves listening to the communication between the user and website in attempt to
capture or intercept important information. This type of attack is carried out if the network does not
have sufficient security in place for example using any public wi-fi for accessing the website, which
tricks the user to connect to the vulnerable network that is accessed by the hacker. If there is no
connection between the user and the website this type of attack takes place and the hacker can
intercept into the information such as credit card number, username and password of the user.
4. Malware:
This are the malicious software that are entered into the website by the attackers as soon as they get
access to the site. This malware can be inserted directly into the system through a SQL injection.
This malicious content or malware can allow access to the hacker into the administrative areas of
the system and perform malicious activities.
Description of tools and technologies
Metasploit:
This framework is utilized for penetration testing, exploiting improvement, dynamic abuse,
Fuzzing, performing customer side assault by making vindictive payloads and numerous other
testing that could be envisioned by the analyser. In addition, working framework patches can
likewise be confirmed by this tools are connected by the server and system overseers.
Hydra:
As contrasted and Metasploit, the focal point of Hydra is fundamentally on splitting login subtleties
and utilized by the penetration analysers and the aggressors vigorously for doing likewise. It varies
from Metasploit in the way that it bolsters various protocols and gives dependable outcomes. The
tool as of now underpins for splitting login subtleties of in excess of thirty protocols and
applications alike. A portion of the protocols that are bolstered by Hydra are Simple Mail Transfer
Protocol, Post Office Protocol 3, SMB, Cisco telnet, Microsoft Structured Query Language
(MSSQL), HTTP, and MySQL [5].
Other case episode of penetration testing usages
The task using Metasploit framework would be progressed in the following manner
First we have started the PostgreSQL and Metasploit as seen in the figure
Setup metasploit database
Connect to msfconsole:
Connect to msfconsole:
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
Comparison of Metasploit and Hydra: Ethical Hacking Toolslg...
|9
|779
|70
University Semester.lg...
|9
|2072
|54
Network Security Tools: Nmap and Metasploitlg...
|9
|1824
|206
Conducting Vulnerability on Windows XP-SP2 System using Nessus and Metasploitlg...
|42
|2354
|77
Penetration Testing and the Boot to Root Challengelg...
|21
|1324
|243
Zed Attack Proxy: A Comprehensive Overview of a Powerful Vulnerability Toollg...
|35
|978
|419