Web Application Security Assessment
A security assessment of a custom web application hosted on a Raspberry Pi server. The project evaluated common web vulnerabilities using industry-standard tools and manual testing to identify weaknesses, demonstrate exploitation techniques, and implement secure remediation practices.
Project Details
- Course: CYB 240 Ethical Hacking and Penetration Testing
- Type: Group Final Project
- Team Members: Christina Alli, Ryan Convery, Kevin Hubbard
- Environment: Raspberry Pi web server
Tools Used
Nmap for service enumeration, BurpSuite for request interception and payload testing, Nikto for vulnerability scanning, and manual scripting for automated enumeration and testing.
Overview
The project focused on identifying vulnerabilities in a web application running on a Raspberry Pi server. Testing followed a structured penetration testing workflow including reconnaissance, vulnerability discovery, exploitation, and remediation.
Key Vulnerabilities
The assessment identified multiple security weaknesses including email enumeration through inconsistent error responses and cross-site request forgery (CSRF) vulnerabilities in application forms. These issues allowed attackers to identify valid user accounts and submit unauthorized requests on behalf of authenticated users.
Remediation
Security fixes were implemented including CSRF tokens, standardized error messages to prevent user enumeration, improved input sanitization, and stronger request validation. Additional improvements such as rate limiting and improved authentication controls were recommended.