Skip to content
/ Spring-Boot-Cyber-Security Public

Spring Boot application implementing Cyber Security countermeasures for typical vulnerabilities of modern web applications. Built using Java and JavaScript

3 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

barclayd/Spring-Boot-Cyber-Security

BranchesTags

Repository files navigation

Spring Boot Cyber Security

Motivation

Demonstration of typical security flaws in a web application and how to fix them:

  • Exception Handling/Information Leakage
  • Logging
  • HTTPS - HTTP vulnerability shown using Wireshark inspecting packet, fixed using HTTPS .jks file and RSA private key with a default signature algorithm of MD5.
  • SSL/TLS - enabled SSL connection on MySQL with OpenSSL
  • Database Sensitive Storage - storage of passwords with hash and salt
  • User Input Validation - prevent SQL injections or XSS
  • Custom Error Handling
  • Brute Force Attacks - repeated login attempts, vulnerability shown using Hydra - fixed using IP blocking function and Google Captcha

Brute Force attack can be shown by running the web app on a host machine and setting up a virtual machine Ubuntu 32bit using Hydra.

Tutorials to Demonstrate Cyber Security Vulnerability and Fixes

5 part walkthrough series hosted on YouTube:

Brute Force Attacks with Hydra - YouTube

Part 1

IMAGE ALT TEXT HERE

Part 2

IMAGE ALT TEXT HERE

Part 3

IMAGE ALT TEXT HERE

Part 4

IMAGE ALT TEXT HERE

Part 5

IMAGE ALT TEXT HERE

Demo

Hydra on VM successfully identifying username and password - based on a given username and a list of 10,000 random passwords

screenshot 2018-12-28 at 13 52 59

Code to implement Google Captcha and demonstration of IP blocking feature

screenshot 2018-12-28 at 13 53 23

Hydra no longer able to identify username and password after implentation of IP blocking and Google Chrome

screenshot 2018-12-28 at 13 53 44

Set-up and Run the Web App:

Open project in IntelliJ

Please ensure that Lombok annotation is installed and annotations are enabled.

If running of project via RunSpringBootApp does not work, please follow these steps:

$ git clone https://github.com/barclayd/Spring-Boot-Cyber-Security.git
Run Gradle Build
Gradle Boot Run

Setting up the Database:

Please run the MayDatabaseSchema.sql script found within the SQL folder. (/SQL/MayDatabaseSchema) This is version is specially designed to populate the database with sample data for testing to demonstrate security fixes. Please ensure that any login details that differ to: username: root password: comsc

are appropriately edited and replaced within application.properties.

How to view the Project:

Please navigate to https://localhost:8443/login

Please note, if you access the page on Chrome or Firefox, due to the HTTPS certificate being self-signed, you will see this warning message "Your connection is not private"

To view the web page, please follow the following steps:

  1. Click "Advanced"
  2. Click "Proceed to locahost:8443 (unsafe)"

You will now be able to view the webpage

Logging into the application:

Please user dummy accounts:

GP Login: Email: steve@gp.net Password: ronaldo

How to set-up VM

Create Ubuntu 32bit VM in image of SecVM-April Download a list of passwords and store in cd/Documents from Install Hydra using relevant commands supplied in report or Youtube tutorial

About

Spring Boot application implementing Cyber Security countermeasures for typical vulnerabilities of modern web applications. Built using Java and JavaScript

Topics

hydra cybersecurity brute-force-attacks

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages