TEO JIA XIN

Executive summary/Abstract

Over the past few weeks, I have learnt more about web application vulnerabilities, how they can be exploited, and how they can be mitigated.

Record of activities done

Over the November-December holiday, we had to self-learn and read up on SQL, HTML and JS. In addition, we had to read Chapters 0-3 of OWASP Testing Guide 4.0 to learn more about web security.

During our attachment, we began by researching about each entry in the OWASP Top 10 list, and took note of the details. Then, to have a better understanding of how each vulnerability can be exploited, we attempted the exercises on WebGoat. When we could not solve the exercises, we tried to search online for the answers (Github), and understand why they worked. Some of the exercises were more challenging, so we sought help from our mentors. After getting a sensing of the difficulty of each vulnerability and meeting with our mentors, we decided to research on vulnerabilities that were less technical, and compiled our findings in the form of a presentation and a report. I decided to research on Broken Access Control (BAC), 5th on the list of 2017 OWASP Top 10.

Deliverables

The final deliverables were as follows:

1. Presentation on selected OWASP Top 10 vulnerability; sharing on our experience as interns to DSTA EIT staff and other interns. The 5 minute presentation consisted of the following:
   • Self introduction: Introduced myself, and explained why I decided to have an attachment in DSTA
   • Introduction to selected OWASP Top 10 vulnerability (Broken Access Control)
   • Real world examples of BAC
   • How BAC works
   • Measures that can be implemented to mitigate BAC
   • After the individual presentations, we shared about our attachment experience alongside the other interns.
2. WOW! daily logs, final reflection log, Wiki entry, report

Due to time constraints, we could not present all the findings we had in the aforementioned presentation. Hence, we consolidated them into a report. In addition, we also noted down our daily tasks in our daily logs, and reflected on the whole attachment experience in the final reflection log.

Presentation

Report

3 content knowledge / skills learnt

1. I learnt more about web application vulnerabilities, more specifically about Broken Access Control, how attackers can exploit it, what it entails for normal users like us, and how it can be mitigated to prevent brute force attacks. Having Broken Access Control means that when there is insufficient enforcement of restrictions, users who want to carry out attacks might be able to escalate privileges, access administrator accounts and have admin-exclusive privileges. As a result, they can change information, commit other malicious acts, or even deny the original admins from accessing the server. This loophole allows attackers to access important places such as API endpoints which aid in the communication of important information. Multiple measures could be implemented to make it harder for attackers to escalate privileges. For instance, an access control matrix could be used to list out what privileges each type of user can have. In addition, web developers should let their applications undergo rigorous penetration testing, whereby one uses brute force to try escalating privileges and access different paths/directories. This made me realise the importance of having good cybersecurity practices. As users, we may not have a complete understanding of web applications, but what we can do to prevent data breaches from happening easily is to have good online habits. For instance, one can set secure passwords, and log out of his/her account after each session.
2. I learnt how to carry out independent learning on a topic that is totally foreign to me. Although we have been constantly exposed to bits of independent learning in school, this was the first time that I had to carry out independent research into a topic that I have little prior knowledge about. Before I signed up for the attachment, I did not have much programming knowledge, and had to learn how to code over the holidays using platforms such as w3schools and Codecademy. After knowing the basics, I could better understand how the code is implemented in web applications to perform certain functions, such as collecting user input for his/her username and password for login. However, there were still many instances where I did not understand the logic of the code or did not know certain keywords, and had to do more research online to figure it out. I realised that in the process of learning something new, it is important to constantly track and consolidate what I have learnt, be it in the form of handwritten notes or a report saved online. This is so that I can always review what I have learnt, and fix any misconceptions that I have.
3. Through the attachment, I realised the importance of honing my interpersonal skills. In the process of learning more about web applications and their vulnerabilities, there were many instances where I had questions, but did not know how to reason out my thoughts and ask them in a logical manner. Thankfully, my partner helped me in doing so, and over the course of the attachment, I tried to ask more coherent questions. Not only that, I realised that it is important to have a strong work ethic, so that one can work well with others and contribute to the work being done. Instances of having good work ethic include being consistent in doing quality work, observing deadlines, and actively listening to other people’s opinions.

2 interesting aspects of your learning

1. Using WebGoat to learn more about web app vulnerabilities was something that I found really interesting. WebGoat is a web application that is made insecure on purpose, for beginners like us to understand the importance of keeping web applications secure. When doing the exercises on WebGoat, we had to put ourselves in the shoes of an attacker keen on doing malicious acts to the application. Although some exercises were challenging, with the help of hints and intense discussions, we managed to solve them, which gave us a sense of achievement!
2. In the process of learning the concepts behind how web applications work and how its security can be compromised, we each had a lot of questions and asked each other about them. It was through intense exchanges of questions did we realise we needed additional research about the terminologies/concepts. We would then turn to our own laptops, do more research, discuss our findings and summarise what we understood. The process was interesting, as both of us learnt immensely by realising the gaps in our understanding of the subject matter at hand.

1 takeaway for life

Through this attachment, we realised that it is very important to appreciate the value of learning, and enjoy the process of it. As people who love learning new things, it was really fulfilling learning about web application vulnerabilities, something which we knew little about beforehand. Although there were some difficulties during the process of understanding concepts that are harder to grasp, when we eventually managed to understand it, the sense of achievement is something which we really treasure. There were also times at which we felt like giving up from having to search up all the technical terms and do further research on them, but it was really our desire to learn that kept us going. In summary, we really enjoyed our attachment at DSTA, and would strongly recommend it to juniors who love learning new things!