PS Cyber Security
Uploaded by
EiRsViPS Cyber Security
Uploaded by
EiRsViPROBLEM STATEMENT
CYBERSECURITY
Any web service open to the internet is a potential target of malicious attacks with motives
ranging from service disruption to data theft. It is an essential requirement of each company to
ensure that their web assets are adequately protected from such malicious motives.
The aim is to undertake a complete security audit of the given websites deployed on the web.
Use tools as necessary to check for various vulnerabilities and software exploits that may be
present. Log the full process of the audit, including the tools and approaches used. Document all
findings in the format provided and submit it for project completion. Create a comprehensive
report about all of these actions taken, as also suggested improvements and patches to make the
system secure against future attacks.
TARGETS –
The systems to be audited are linked here:
https://ccgit.in
https://www.cloudcounselage.com
http://hkrb.hackxor.net
http://phonecorp.hackxor.net
http://hmrc.hackxor.net/login?redir=/
http://dreaded.hackxor.net
https://xss-game.appspot.com/level1/frame (no brute forcing)
http://temporal.hax.w3challs.com/administration.php (no brute forcing)
http://webcompany.hax.w3challs.com (no brute forcing)
http://w3news.hax.w3challs.com (no brute forcing)
CONSTRAINTS –
• All testing shall be done on the hosted instance without locally downloading.
• You are only authorized to work on the asset provided to you, linked above. Acting on any
other asset, service, or resource of the company is forbidden, while such actions on elements
not owned by the company is at your own risk.
• Do not brute force sites that are masked such. That includes DoS attacks.
• The system is not to be worked upon, after the Findings Document is submitted.
POINTS FOR THE AUDIT –
Check for the following criteria for the relevant sites:
• Were you required to establish appropriate passwords?
• Does the required strength of the password make it adequately secure?
• Is a process for creation of a retrievable backup and archiving critical information easily
detectable? Mention any such backdoors found.
• Are there any vulnerabilities enabling you to bypass or obtain authentication? Note if any.
• Is the website configuration attainable without admin login? Validate the server-browser, and
application-data integrations.
• Is the website susceptible to being manipulated in terms of functionality and/or content?
Describe how so.
• Is the website able to maintain performance under load?
• Does the site code follow proper conventions to hence function properly in all environments?
Note any improper practices found.
• Does the site perform securely on multiple browsers and platforms? Note any vulnerabilities
found per platform.
• Is the site sufficiently secured from DoS and DDoS Attacks? Note any timeouts found which
may facilitate the attacks.
• Is the cache configuration secure, efficient on performance, and protected from access
without admin login?
• Is the site connection stable and not causing any drops? Note any cases discovered.
• Check if penetration testing, SQL injection testing and DDoS attack is possible on these
websites. A checklist will be provided for these. Mention yes if possible and no if not possible.
• Write a Steganography program to encode the cryptic message “Cloud Counselage Internship
Program” in an image.
Apart from the above base criteria
POINTS FOR THE REPORT –
• Approach of overall audit.
• Tools used for the audit.
• Approach used per tool.
• Vulnerabilities found.
o System Vulnerabilities (correctable)
o Software Vulnerabilities (inherent to the software)
• Exploits used.
• Suggested software patches.
• Recommended system improvements.
