51.

503 - Secure Software Engineering

Fig 4.5 Possible solution for Second ORder SQL injection

40
 51.503 - Secure Software Engineering

Example: Cookie Poisoning findings and possible solution

Fig 4.6 Cookie Poisoning finding

41
 51.503 - Secure Software Engineering

Fig 4.7 Cookie Poisoning possible solution

42
 51.503 - Secure Software Engineering

Example: Client Privacy Violation findings and possible solution

Fig 4.8 Client Privacy Violation finding 1

Fig 4.9 Client Privacy Violation finding 2

43
 51.503 - Secure Software Engineering

Fig 4.10 Client Privacy Violation Possible Solution

44
 51.503 - Secure Software Engineering

Example: Hard-coded Cryptographic key findings and possible solution

Fig 4.11 Hard Coded Cryptographic Key Finding

45
 51.503 - Secure Software Engineering

Fig 4.12 Hard Coded Cryptographic Key Finding Possible Solution

46
 51.503 - Secure Software Engineering

The Fortify report provided a comprehensive analysis of the code, identifying

potential security vulnerabilities, bugs, or other issues. The report was particularly
effective at identifying issues related to code quality, such as poor coding practices.
The report also provided detailed remediation advice, making it easy for us to take
steps to address the issues identified. The full report will be attached together with
this report

Fortify output example and solution

Example 1:

Fig 4.13 Fortify Hard Coded Encryption Key finding and possible recommendation

47
 51.503 - Secure Software Engineering

Example 2:

48
 51.503 - Secure Software Engineering

Fig 4.14 Privacy Violation finding and possible recommendation

Static analysis is a valuable tool for code review because it can identify potential
vulnerabilities, bugs, and quality issues in the code before it is deployed. However,
there are some challenges that can arise when using static analysis for code review.

One challenge is that static analysis tools can produce false positives, which can
lead to wasted time and effort when developers investigate issues that turn out to be
non-issues. To address this challenge, it's important to configure the static analysis
tool to minimise false positives, and to provide developers with guidance on how to
differentiate between true and false positives.

Another challenge is that static analysis tools may not detect all types of issues,
particularly those that involve complex logic or dynamic behaviour. To address this
challenge, it's important to combine static analysis with other forms of code review,
such as manual code review or dynamic testing.

49
 51.503 - Secure Software Engineering

Finally, static analysis tools may be difficult to integrate into existing development
processes or toolchains. To address this challenge, it's important to evaluate static
analysis tools carefully before adopting them, and to ensure that they integrate well
with existing development tools and processes.

Possible solutions for these challenges include:

1. Configuring the static analysis tool to minimise false positives, and

providing developers with guidance on how to differentiate between true
and false positives.
2. Combining static analysis with other forms of code review, such as
manual code review or dynamic testing.
3. Evaluating static analysis tools carefully before adopting them, and
ensuring that they integrate well with existing development tools and
processes.

By addressing these challenges and leveraging the strengths of static analysis,

developers can improve the quality, reliability, and security of their software.

50
 51.503 - Secure Software Engineering

5. Black Box

Test ID Description Expected Result Actual Result

basicCart Add product(s) to cart. Total

price at checkout should be Total cost = ∑ 𝑝𝑟𝑖𝑐𝑒𝑖 Success. Total cost = ∑ 𝑝𝑟𝑖𝑐𝑒𝑖
𝑖 𝑖
the sum of all product prices.

basicCart2 Precondition: product added to Total amount should reflect the Success. Cart was updated to reflect
cart.
Remove some/all products latest ∑ 𝑝𝑟𝑖𝑐𝑒𝑖 latest ∑ 𝑝𝑟𝑖𝑐𝑒𝑖
𝑖 𝑖
from cart

cartUpdate1 Precondition: product added to Cart updated to remove product Success. Cart was updated after
cart. from cart. product was deleted from DB.
Delete product from DB after
adding it to cart.

modifyPrice Precondition: product added to Cart updated to reflect latest price. Success. Cart was updated to reflect
cart, price needs to be latest price.
positive.
Update product price after
adding it to cart

negativePrice Adding/updating product with Exception error handled: Price Fail. Product added/updated with
negative price. cannot be negative. negative price.

51
 51.503 - Secure Software Engineering

processPayment Paypal payment amount Payment amount reflects the order Success. Payment amount reflects the
reflects the order amount. amount. order amount.

cartUpdate2 Precondition: product added to Cart icon quantity should match Fail. Mismatch of quantity.
cart. with quantity in cart.
Delete product from DB after
adding it to cart.
Update cart icon quantity.

inputValidation When entering name in form, Exception error handled: warning Fail. Still processes user input.
should validate user input to message for special characters in
prevent XSS name.

52
 51.503 - Secure Software Engineering

6. Penetration Testing
Penetration testing, also known as pen testing, is a process of assessing the security
of a system by simulating an attack on it. The purpose of penetration testing is to
identify vulnerabilities and weaknesses in a system before they can be exploited by
attackers. It is an essential part of any security program, and it helps organisations
identify and remediate vulnerabilities in their systems before they can be exploited by
attackers. Penetration testing can be done manually or with the help of automated
tools, such as Burp Suite.

Fuzzing, on the other hand, is a testing technique used to identify security

vulnerabilities and coding errors in software applications. It involves sending large
amounts of random input data to the target application and observing its behaviour.
The purpose of fuzzing is to find unexpected behaviour in the application, such as
crashes or memory leaks, which may indicate the presence of a vulnerability.
Fuzzing is typically done using automated tools, and it can be used in conjunction
with penetration testing to identify potential vulnerabilities.

The primary purpose of both penetration testing and fuzzing is to identify potential
security vulnerabilities in a system. They help to identify and remediate
vulnerabilities before they can be exploited by attackers, thereby reducing the risk of
data breaches and other security incidents.

We selected Burp Suite Community Edition to automate the penetration testing

process. Burp Suite is a popular tool used by security professionals for web
application penetration testing. It offers a wide range of features and functionalities
that make it an excellent choice for conducting penetration tests on web applications.
One of the primary reasons why Burp Suite was selected as the tool for conducting
the penetration test is its ability to perform a comprehensive and thorough scan of
the target application. It has a suite of scanning tools that allow for automated
discovery of vulnerabilities such as SQL injection, cross-site scripting (XSS), and
command injection. [Note: Target scanning was subsequently found to be not
available in Community Edition]

Another key feature of Burp Suite is its ability to intercept and modify requests and
responses between the client and server. This enables testers to manipulate
application behaviour and test the application's resilience to attacks such as
parameter tampering, session hijacking, and input validation bypass.
Moreover, Burp Suite has a wide community of users who constantly update and
develop new plugins and extensions for the tool. This means that testers have
access to a vast library of plugins that extend the tool's functionality and allow for
more targeted and effective testing. The tool's user-friendly interface and

53
 51.503 - Secure Software Engineering

customizable workflows also make it easy for testers to use and adapt to their
specific needs.

The following tests were conducted to attempt to uncover potential security issues
relating to the website.

6.1 Password brute force attack

A brute force attack on a website password using Burp Suite Intruder involves
repeatedly attempting to guess the correct password for a given user account by
trying various combinations of characters. The idea behind a brute force attack is to
try all possible combinations of characters until the correct password is found.

To perform a brute force attack using Burp Suite Intruder on the user ID and
password fields of a website using Burp Suite, we captured the login request using
Burp Suite's proxy functionality as shown in Figure 6.1.

Figure 6.1: Login page for Django Admin

Next, we configured the attack parameters in Burp Suite Intruder, such as the target
URL, the payload (i.e., the list of possible passwords), and the attack type. For the
attack type, we set "cluster bomb" to try a predefined list of words i.e. rockyou.txt as
shown in Figure 6.2 and 6.3.

54
 51.503 - Secure Software Engineering

Figure 6.2: Attack type set to “cluster bomb”

Figure 6.3: Predefined password list

Once the attack starts, the tool systematically attempts to send a login request to the
website using the predefined password. From the response received shown in
Figure 6.4, we observed that one of the predefined passwords i.e. admin was able
login to the website successfully.

55
 51.503 - Secure Software Engineering

Figure 6.4: Successful login using “admin”

To prevent similar attacks on the login, is it recommended to implement the following

control measures to mitigate the risk:
1. Implementing account lockout policies: After a certain number of failed login
attempts, the user account should be locked out for a specified period of time.
This prevents brute force attacks by limiting the number of attempts an
attacker can make.
2. Strong password policy: Enforce a strong password policy that requires users
to create complex and unique passwords. This makes it difficult for an
attacker to guess passwords through brute force attacks.
3. Two-factor authentication: Implement two-factor authentication to add an extra
layer of security besides the password.
4. Captcha verification: Implement a Captcha verification system to ensure that
the login request is coming from a human user and not an automated script.
5. Limit access to authorised users: Limit access to the admin website to only
authorised users. This can be achieved by creating user accounts with limited
access or by restricting access based on IP addresses or only via local login.

Implementing these measures can significantly reduce the risk of a successful brute
force attack on a login page using Burp Suite predefined password.

6.2 SQL injection attack

A SQL injection attack is a type of web application vulnerability that allows an
attacker to execute arbitrary SQL commands on a website's backend database by
exploiting flaws in user input validation. By leveraging these vulnerabilities, an
attacker can gain access to sensitive information, such as user login credentials or
other personally identifiable information.

56
 51.503 - Secure Software Engineering

To perform a SQL injection attack on the user ID and password fields of a website
using Burp Suite, the same approach was adopted to capture the login request using
Burp Suite's proxy functionality.

Similarly, we used Burp Suite's Intruder tool to modify the login request by inserting
malicious SQL commands into the user ID and password fields. This is done by
using Burp Suite to add a payload to the user ID and password fields, containing
SQL commands such as SELECT or UNION. The tool will systematically try each
combination of SQL commands in the payload list, sending a login request to the
website after each attempt as shown in Figure 6.5.

Figure 6.5: SQL commands

The SQL injection attack is unsuccessful as the backend database did not execute
the SQL commands and return the requested information. This is likely due to
Django ORM which provided protection against SQL injections.

6.3 Payment Tampering Attack

Payment Tampering is a type of web-based attack in which an attacker intercepts
and modifies a payment request before it is sent to the server in order to change the
amount being paid or to redirect the payment to a different account.

57
 51.503 - Secure Software Engineering

We used Burp Suite Proxy to intercept and modify the data being sent between the
client and the server. Upon clicking “PayPal”, a shown in Figure 6.6 and 6.7, we
observed that the total payment amount was intercepted and was the same as what
was presented in the earlier webpage i.e. $259.

Figure 6.6: Checkout page showing total payment amount $259

Figure 6.7: Payment request intercepted by Burp Suite Proxy

58
 51.503 - Secure Software Engineering

As shown in Figure 6.8, we modified the total payment amount to $8.88 before
proceeding with the payment by forwarding the request to the server.

Figure 6.8: Modification of total payment amount to $8.88

Thereafter, we logged into our Developer Paypal account to complete the

transaction. As demonstrated and shown in Figure 6.9, we successfully modified the
total payment from $259 to $8.88.

Figure 6.9: Successful modification of total payment amount to $8.88

59