Web Application Security Enhancement Final Assessment Group Project
Hamsa
- Mohd Faiz Hafizuddin bin Ahmad Yazi (2011837)
- Muhammad Zaidi bin Abdul Razak (1820833)
- Hani Arinah binti Hairul Azam (2019774)
- Hani Nursyamira binti Muhamat Halis (2016478)
Chillax Cafe
Improved version of Chillax Cafe web app with security features added onto the original web technologies class project.
Original owners are:
- ‘Abdul ‘Alim Zuhdi Bin Abdul Nasir
- Muhammad Zaidi Bin Abdul Razak
- Mohamad Faris Aiman Bin Mohd Faizal
- Muhammad Afif Danial Bin Mohd Zuhairi
- Muhammad Nur ‘Aizat Bin Zuzi
It is an e-commerce web app for a small coffee shop located in the heart of IIUM Gombak Campus, now no longer existing.
- To authenticate and authorize valid user that can place their order through the website.
- To prevent unauthorize access by implementing session management.
- To implement Regex and input validation to prevent SQL injection and XSS in the text box especially in the login and register page.
- File directory cannot be accessed by unauthorize user since it has been disabled.
- To prevent CSRF by implementing Anti-CSRF token and secure session management.
- To create a safer environment for the user to access and use the website.
| Enhancement | Assigned |
|---|---|
| login | syamira |
| register | hani |
| session cart | zaidi |
| review form | faiz |
Note: Initial task distribution was assigned generally by pages or features to be added, and includes adding the related security features.
Refer to next section for clarification on short form name referred to whom and further detail on the enhancement authors.
The authors of the file additions/enhancements are encased in square brackets as such:
- [faiz] refers to Mohd Faiz Hafizuddin
- [zaidi] refers to Muhammad Zaidi
- [hani] refers to Hani Arinah
- [syamira] refers to Hani Nursyamira
- Added user authorisation pages which are register.php and login.php and auth.php
-
register.php [hani]
Original Enhanced Register.php has not been developed yet Add input validation using Regex and create error message in line 1 - 82 in the code XSS prevention in line 1 - 82 in the code Connect with the database in line 106 in the code SQL injection prevention in line 105 - 130 in the code Create registration form and include validate early in line 152 - 179 in the code Display error message in line 157 , 161, 165, 169 and 173 in the code Improving on the CSP in line 181 & 182 in the code In line 190 - 193 in the code, if there is no error, then, the user is registered Data redundancy prevention in line 194 - 199 in the code -
login.php [syamira]
Original Enhanced Login.php has not been developed yet Add input validation using Regex and create error message in line 1 - 82 in the code There is session.php implemented and being included in all pages. Connect with the database in line 3 in auth.php where it is being included with db.php SQL injection prevention in line 8-11 in the code at auth.php Create login form and include validate early in line 92-122 in the login.php There is function validation in line 125-146 which alert the user if no email and password is being inserted. In line 23 in the code of auth.php, if there is error, then, "Login failed! Please try again" is displayed -
auth.php [syamira]
Original Enhanced auth.php has not been developed yet Authn logic file for login.php line 1 - 19 Email passed in session to mark as logged in in line 20 [zaidi] Cryptographically generated sessionid in line 22 - 27 [zaidi] Anti-CSRF token generated in line 29 - 38 [zaidi]
-
The Anti-CSRF token is generated using HMAC (Hash-based Message Authentication Code), recommended by OWASP, with the secret key located in the .env file.
-
Added functionality to menu, order and review pages
-
menu.php [zaidi]
Original Enhanced Only displays menu item Add to cart buttons added below menu item e.g. at line 64 - 66 Authorization only logged in can add to cart logic in line 7 - 10 Passing cart items using session in line 12 - 35 -
order.php [zaidi]
Original Enhanced Only displays Google Forms to order Print cart from session loop at line 34 - 41 Total price calculation in line 4 - 10 CSRF token check to ensure only valid logged in users can finalize transaction in line 49 - 63 Clear cart with unset session in clear_cart.php in line 67 - 69 -
review.php [faiz]
Original Enhanced Only displays a static HTML page Add forms to enable the user to submit their review by asking their name, rating and review details The review from user is hardcoded The review submitted from user is automatically published Displays the reviews by the users Implement regex to sanitize the input -
reviewsubmit.php [faiz]
Original Enhanced reviewsubmit.php did not exist Add reviewsubmit.php to sanitize the input from users Implement input sanitization from server side Submit review to database with regex
-
-
Added session management. session.php file also acts as header file.
-
session.php [zaidi]
Original Enhanced session.php has not been developed yet Included in every page to pass session variables and as header Absolute session timeout in line 2 in the code Calls session in line 3 Included general CSP for all pages in line 5 Strict-Transport-Security which forces browser to use https in line 6 Prevent MIME sniffing which can translate to XSS attacks in line 7 Same-origin referrer to protect user privacy when making requests to other websites in line 8 XSS filtering and prevent rendering page if attack detected in line 9
-
-
Added logout.php which destroy sessions [zaidi]
-
Included database with db.php with custom username & password [hani]
-
Disable file directory by removing 'Indexes' in httpd.conf (Options
IndexesFollowSymLinks Includes ExecCGI) [hani][syamira] -
Prevent robots/indexers from crawling certain files (secret key .env file) and folders with robots.txt [zaidi]
-
Shortened the URL is being implemented by creating .htacces file in htdocs to prevent any URL rewriting which can lead the attackers to make any changes to the folders. [hani][syamira]
.htaccess file is shown below:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
- https://infosec.mozilla.org/guidelines/web_security
- https://cheatsheetseries.owasp.org/cheatsheets
- Webappsec class handouts from our course instructor: Dr. Muhamad Sadry Abu Seman, DIS, KICT, IIUM