This week, NUS Greyhats came down to show us how to hack systems, namely web applications. They used bWAPP, an insecure web application to demo the different attacks. We could also download bWAPP and follow them on our own laptops. Since Computer Security is one of my focus areas, I found this session interesting as I got to practically apply all the attacks I had learnt in theory during my security modules.
We looked at quite a few common web vulnerabilities, such as SQL Injection, Command Injection, Cross-Site Scripting (XSS), Insecure Direct Object References (DOR), Directory Traversal Attacks, Local File Inclusion, Cross-Site Request Forgery (CSRF) and Open Redirects. Although I had studied these vulnerabilities in theory, it was interesting to learn different instances of the same attack. For instance, although I was aware of SQL injections such as Boolean-Based SQL attacks, I wasn’t aware of how UNION-based SQL attacks work until today’s lecture.
More importantly, we learnt how to defend our web applications against these vulnerabilities. Although most web frameworks come with some security implementations to provide protection against these vulnerabilities, I realised that it is still important to implement an additional layer of security checks at the client and server side, especially when user input is being read in.
Prof Colin told us that our TAs will be hacking our systems live as we present our Final Project in class, which is definitely intimidating. But at the same time, I realise that it is important for our web application to be secure as users trust us with their sensitive information. I hope that our Final Project doesn’t get hacked during our presentation and we handle the vulnerabilities covered this week well in our application!
Comments
Post a Comment