Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Jack Smith
Registration number 100178077
2019
Ethical Hacking Trainer
Supervised by Dr Oliver Buckley
University of East Anglia
Faculty of Science
School of Computing Sciences
Abstract
This report details the process of planning and creating an ethical hacking trainer web-
site. The aim of the project is to educate people of the role of the ethical hacker and
teach the basic skills required to test a website for vulnerabilites. The website will con-
tain tutorials that teach ethical hacking techniques, a demonstration wesbite upon which
users can practice hacking and a library of law summaries so users can learn about how
law contend with cybercrime and ethical hacking. This report covers the design and
implementation of the website along with an evaulation of the outcome.
Acknowledgements
I would like to thank my project supervisor Dr Oliver Buckley for his support over
the duration of the project. I also thank Dr Paul Bernal for helping me understand the
laws I refference in the project and the advice he gave regarding the legal standing of
this work. Finally, I would like to thank my Fiancée Philippa Higgins for her constant
support throught out the project and my entire 3 years at UEA.
CMP-6013Y
Contents
1. Introduction 6
2. Project Description 6
2.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3. Project Outline 7
3.1. Aim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4. Literature Review & Background Research 8
4.1. What is Ethical Hacking . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.2. Teaching To Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.3. Ethics and Morality . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.4. Cyber Kill Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.5. Similar Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
5. Projection Design & Planning 16
5.1. Architecture and Environment . . . . . . . . . . . . . . . . . . . . . . 16
5.2. Time Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.3. Requirement Specification . . . . . . . . . . . . . . . . . . . . . . . . 18
5.4. Navigation and Site Map . . . . . . . . . . . . . . . . . . . . . . . . . 20
5.4.1. Site Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5.4.2. Wire Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5.5. Branding and Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5.5.1. Branding Scheme . . . . . . . . . . . . . . . . . . . . . . . . . 20
5.6. Database Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.6.1. Entity Relationship Diagram . . . . . . . . . . . . . . . . . . . 21
6. Implementation 22
6.1. Implementation Decisions . . . . . . . . . . . . . . . . . . . . . . . . 22
Reg: 100178077 iii
CMP-6013Y
6.2. Website Features and User Interaction . . . . . . . . . . . . . . . . . . 24
6.2.1. Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6.2.2. Homepage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6.2.3. Tutorials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6.2.4. Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6.2.5. SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6.2.6. Cross Site Scripting (XSS) . . . . . . . . . . . . . . . . . . . . 26
6.2.7. Database Implementation . . . . . . . . . . . . . . . . . . . . . 26
6.2.8. Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . 27
6.2.9. SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
6.2.10. Cross Site Scripting Tutorial . . . . . . . . . . . . . . . . . . . 33
6.2.11. Internet Law . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
6.2.12. About Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.2.13. FAQ Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.3. Technical Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
7. Testing and Usability 41
7.1. Unit & Integration Testing . . . . . . . . . . . . . . . . . . . . . . . . 41
7.2. Black Box Validation Testing . . . . . . . . . . . . . . . . . . . . . . . 42
8. Evaluation 43
8.1. Outcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
8.2. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
9. Conclusion 45
References 46
A. Gantt Chart 49
B. Similar Systems Matrix 51
C. Wire Frame Designs 52
Reg: 100178077 iv
CMP-6013Y
1. Introduction
This report outlines the what the project is and how I have completed this task. It looks
at similar and related work to establish the field the project resides within. The report
then covers the design phase of the project, providing the initial designs of the website
and the requirement specification for the project. The implementation stage is then
discussed, detailing how each page and function of the project was implemented, with
examples of the code used to generate specific functionality requirements. Finally, the
report provides insight into how the website was tested and an evaluation of the overall
result of the project.
2. Project Description
2.1. Introduction
With more and more aspects of everyday life becoming automated and thrust into the
online world, it becomes increasingly important to develop and ensure cybersecurity.
One of the most effective ways of keeping on top of cybersecurity is the use of ethical
(white hat) hackers. These hackers operate by hacking into a client’s system and report-
ing any vulnerabilities they find. In some cases, they are then recruited by the client to
help fix these vulnerabilities to prevent black hat hackers from gaining access to sensi-
tive and critical data. Although similar products exist, it is rare to find a site that both
teaches and allows for the practice of these techniques. The purpose of this project is to
create a site that will teach users fundamental skills required to carry out basic ethical
hacking techniques, whilst providing users with a summary of the laws that surround
hacking to help them learn and improve in safe and legal way.
Reg: 100178077 6
CMP-6013Y
3. Project Outline
3.1. Aim
Develop a web-based application that users can visit to learn and practice ethical hack-
ing techniques. The aim of developing such a site is to raise awareness of ethical hack-
ing and the role it takes for combating cybersecurity. By teaching people the basic
techniques used by ethical hackers on an easy-to-use site, people may be able to deploy
actions to defend their own websites and data.
3.2. Objectives
• Complete a literature search and review of any similar sites that already exist and
the resources I intend to use in this project.
Investigating the current processes and controls in places, as well as taking on
board the opinions and findings of academics within this field, will help ensure
the project covers the appropriate areas of ethical hacking. The literature review
will cover many topics that are at the core of the project, from the ethics of teach-
ing people how to hack to assessing the key frameworks that describe the hack-
ing process. An assessment of similar sites will outline the requirements for the
project whilst identifying gaps and opportunities for improvement in the field.
• Develop the front-end of the website. This includes the homepage, about page and
the foundations for the tutorial pages to be introduced in a series of deliverables.
Delivering the website in modules will allow the website to be installed and tested
in compartments, making it easier to make changes and improvements at any stage
of the project. Adopting an agile approach to the project has the benefit of making
the project more flexible and manageable.
• Integrate a tutorial for each hacking technique the website will teach. These in-
clude: Reconnaissance, SQL Injection attacks and Cross-Site Scripting.
These tutorials need to be as simple as possible to accommodate for users of all
levels of experience. They will focus on the basics of each technique but offer
Reg: 100178077 7
CMP-6013Y
some more advanced methods for high-level users. They will closely relate to the
Demonstration site to allow users to practice their knowledge.
• Develop the database for the back-end of the website. This database will hold
fake data that the users will be able to gain access to by practising the hacking
techniques they learn on the site.
Creating a simple and easy-to-use Demonstration site that is linked to an ex-
ploitable database, will allow users of the site to practise the techniques they have
been taught.
• Evaluate the effectiveness of the site’s ability to teach users key hacking princi-
ples.
Carry out user tests and gather feedback about how helpful the site is at teaching
users from different levels. The feedback from the users will help compare the
project to existing sites and suggest improvements that could be made.
4. Literature Review & Background Research
4.1. What is Ethical Hacking
To investigate what is actually meant by ’Ethical Hacking’, I must first understand what
is meant by the term ’Hacker’. Throughout recent decades, the definition of ’hacker’
has changed drastically. When the term hacker first came into use, it referred to an
individual who had high technical knowledge of computers or somebody who was seen
as a computer enthusiast (Porter, 2016). As time went on, people started associating the
term ’hacker’ to people who used their vast computing knowledge to commit crimes and
disrupt society. The film War Games, released in 1983, is an example of how hacking
culture in teens increased in the 80s; this can be linked with an increase in computer
related-crime (Schulte, 2013). Today, a hacker is seen as a criminal who uses computers
to commit crimes such as theft and fraud. Ironically, one the best way to combat hackers
is with hackers themselves. We currently call the people helping defend systems ethical
hackers in an attempt to differentiate between the those using their expertise maliciously
Reg: 100178077 8
CMP-6013Y
or with good intent, despite the fact they generally use the same techniques and skills
(Patil et al., 2017).
So what is an ethical hacker? Patil et al say ethical hackers are more formally referred
to as penetration testers. Their role is to use the same "tools, tricks and techniques that
hackers use, but with one major difference that Ethical Hacking is legal."[(Patil et al.,
2017)Page 1]. This is the common difference that divides hackers and ethical hack-
ers. This is supported in a paper titled ’Ethical hacking and penetration testing using
raspberry PI’ (Yevdokymenko et al., 2017). The paper details the four levels of penetra-
tion testing when attacking a network, those stages are: Reconnaissance, Vulnerability
Scanning, Exploitation and Maintain Access. The paper goes on to explain how this
is the same approach used by hackers (Yevdokymenko et al., 2017). Simpson uses the
old adage "You’re only as secure as your weakest link" to explain why ethical hacking
is important in securing your network [(Simpson, 2012), Page 1]. This is support by
Wang and Yang who state "Hands-on ethical hacking and network defense has become
an essential component in teaching cybersecurity effectively." [(Wang and Yang, 2017),
Page 1].
Going forward I will relate the term ethical hacker to somebody who has the skills
and knowledge similar to that of a hacker but who is operating with authorisation and
within the law.
4.2. Teaching To Hack
The primary focus of my project is to teach users the skills needed to practice basic
ethical hacking. In ’Ethical Hacking Pedagogy: An Analysis and Overview of Teaching
Students to Hack’ by Regina D. Hartley, Hartley explores not only what is meant by
ethical hacking but why it is taught and argues the positives and negatives of teaching to
hack [(Hartley, 2015)]. Hartley explains "an increasing number of researchers feel that
it is important that computer administrators have comparable knowledge and skills as
the attackers." [(Hartley, 2015), Page 96].
Furthermore, Hartley discusses how it is critical that security professionals learn eth-
ical hacking practices so they are to keep up with methods deployed by black hat hack-
ers. Hartley says "Future information security professionals would be better equipped
Reg: 100178077 9
CMP-6013Y
to combat intrusions if equipped with the knowledge and skill sets currently used by
attackers" [(Hartley, 2015), Page 95]
This paper is provides good reasoning and context behind teaching ethical hacking,
which justifies the need for projects like this. Developing this ethical hacking trainer
will help combat the black hat hackers by equipping its users, the general public, with
the knowledge of how such attacks are carried out. This project will therefore contribute
to fight on cyber-crime on two fronts. The first being the provision of knowledge and
awareness of the black hat hacker’s capabilities, helping people build walls and defences
to prevent attacks and data breaches. Secondly the project will help teach the basics to
a new generation of white hat hackers, with the overall objective of getting more people
into cybersecurity.
Hartley’s views are similar to the majority of information security professionals;
Pashel advises that the ability to carry out attacks helps professionals identify vulner-
abilities within computer systems and can assist them in preventing attacks. He later
states ethical hacking may be deemed a crucial element in a security program (Pashel,
2006).
This is supported by Ronald E. Pike’s ’The “Ethics” of Teaching Ethical Hacking’,
which agrees that it is important to teach students the ability to hack under ethical li-
cense but argues unless done correctly, it can lead students on a dark path into black hat
hacking (Pike, 2013). Pike investigates how multiple field experts feel students could
be encouraged to stay on the right side of the law, going on to identify four areas that
can be critical in ensuring students are enthusiastic to practice hacking ethically.
The first of these four areas is ’Social Interaction’. Pike discusses how hackers on
either side of the law like to operate within communities and small teams. For example,
there are white hat groups such as ECSG (European Cyber Security Group) while black
hat groups such as Anonymous also exist. Pike then notes that it’s common for white
hat groups to form frameworks or guidelines for their members to operate in. These
guidelines can be vital to help new students and members work ethically. Working in
groups adds a sense of belonging and social pressure, thus meaning members are less
likely to commit crimes as they fear being kicked out or shamed by their peers.
Pike identifies ’Competition’ as another important area. Across the industry both pro-
Reg: 100178077 10
CMP-6013Y
fessionally and academically, hacking competitions or ’Hackathons’ are held frequently.
At these events hundreds of hackers compete to complete tasks as quickly or efficiently
as possible (Pike, 2013). Competition is this context can be healthy as it encourages
competitors to learn and improve their skills in an informal but challenging environ-
ment. When combined with social interaction, hackers may strive to be the best in their
group. All tasks are in within the law and practice ethical hacking procedures. Com-
petitions like this help hackers improve their technical skills and also their social and
demonstrative skills; it is common for head-hunters of ethical hacking and technology
companies to use these events as recruitment opportunities (Pike, 2013). The idea of us-
ing competition to help educate ethical hackers is also explored in ’Building an Ethical
Hacking Site for Learning and Student Engagement’ where M.Lehrfeld agrees it can be
key in helping aspiring ethical hackers the skills they need (Lehrfeld and Guest, 2016).
4.3. Ethics and Morality
Although it may be legal to teach and practice ethical hacking, there are still concerns
on as to whether is morally correct. The question commonly asked is, what makes it
ethical? Olson queries; why does it need the word ’ethical’ in front of it? (Olson,
2012).This is quite a controversial topic that has arguments for both sides. Trabelsi and
Ibramhim argue that teaching ethical hacking techniques has become neccassary within
the computer security curriculum as it yields better results than curriculums that only
teach defence techniques (Trabelsi and Ibrahim, 2013). The demand for skilled indi-
viduals with the ability to perform such techniques is also discussed by Lehrfeld and
Guest in a paper where they built a website similar to the one of this project (Lehrfeld
and Guest, 2016). On their site, students are encouraged to take part in a capture the
flag style game where they earn points for completing different hacking challenges on
the site. They discuss the ethical dangers of teaching and encouraging hacking tech-
niques but argue it is what is needed to improve the cyber-security industry (Lehrfeld
and Guest, 2016). The same thing is argued by Simpson in ’Hands-On Ethical Hacking
and Network Defense’ (Simpson, 2012).
There is the worry that ethical hackers may decide they could earn more by becoming
criminals as expressed by Pike. (Pike, 2013). Pike also argues that the ethical element of
Reg: 100178077 11
CMP-6013Y
ethical hacking should be taught as seriously as the hacking itself to try and promote le-
gal and moral behaviour to students. Contrary to these concerns, one of the main sources
of ethical hackers are former criminal hackers that have since reformed. An example of
this is Nicholas Allegra, a computer hacker who accessed code behind Google’s web ap-
plication and leaked information about Google+. When Google discovered this, instead
of prosecuting him, they hired him (Ohlhorst, 2019).
4.4. Cyber Kill Chain
The Cyber Kill Chain Model developed by Lockheed Martin is widely regarded as the
best model of the cyber-attack process across the cybersecurity industry. The Cyber Kill
Chain Model breaks down the events of an attack into 7 stages. These stages closely
follow how a military kill chain model might look like. Examining this framework is
useful to the project as it details the steps ethical hackers need to be wary of and explores
methods to avoid data breaches. Below is breakdown of each of these steps, how they
are matched by other frameworks, what controls are in place to execute them and what
lessons the project can learn from them.
1. Reconnaissance
This stage is about intelligence gathering on a target. Before an adversary launches
an attack on their target, they must first study the target’s behaviour. In relation
to a computer system, this would include techniques such as testing the system’s
error handling, learning its architecture and searching for vulnerabilities that can
be exploited. During this stage the attacker would want to remain undetected; this
is the first opportunity the target has at defending itself. As Hospelhorn explains
in a blog titled ’What is The Cyber Kill Chain and How to Use it Effectively’, re-
connaissance is the first step in any form of heist (Hospelhorn, 2018). Hospelhorn
goes on to explore a few ways in which a company may detect reconnaissance on
their website.
Monitoring network traffic and flagging any suspicious activity on the network
is a basic but effective method a company could deploy. This could be done by
keeping a log of all IP addresses that visit the site and checking them against a
Reg: 100178077 12
CMP-6013Y
list of known criminal addresses. Placing alarms on vulnerable areas of a website
that are triggered when they meet some threshold of activity would help decrease
detect common attacks such as SQL injection and XSS. The use of VPNs for
inter-company communication can also reduce the attack surface of the system.
Finally Hospelhorn mentions the monitoring of proxys as this is another common
technique used by hackers (Hospelhorn, 2018). Proxy servers could also be used
by a company to abstract a systems functionality, again reducing the overall at-
tack surface. This builds on what Lockheed Martin recommend in a guide called
’Gaining the Advantage’, where Lockheed Martin suggests defender should build
detections for browsing behaviour that is unique to reconnaissance (Lockheed-
Martin, 2015).
2. Weaponization
This stage describes the process of creating code and/or malware to exploit a vul-
nerability in the system. In terms of the techniques taught in this project, this
would include developing an SQL statement to be injected or writing a JavaScript
function to do some action in the site. This stage requires knowledge of the
system, therefore preventing the reconnaissance would prevent the attacker from
weaponizing a vulnerability.
As discussed in Lockheed Martin’s guide to applying the Cyber Kill Chain (Lockheed-
Martin, 2015), there are multiple tactics that could be used by a defender in this
stage. Firstly collecting all files and meta-data related to an incident or piece of
malware would be beneficial as it could be used for future analysis. The principle
here is to look at previous incidents to help find trends and patterns that could be
used to detect weaponizer toolkits in the future.
3. Delivery
The delivery stage focusses on how an attacker may deploy the malware or attack
onto the target system. This could be done physically through USB (Universal
Serial Bus) sticks, remotely through a web server or other attacks such as a phish-
ing email. An example of this would be the execution SQL or Java Script code
on a unprotected form on a website, this is something that will be taught in the
Reg: 100178077 13
CMP-6013Y
project. In terms of preventing it, a defender may deploy software that catches
such attempts before they are able to access the system. In terms of SQL injec-
tion, as discussed in ’Detecting and Preventing SQL Injection Attack: A Formal
Approach’, a defender could use software such as SQLMAP to detect any vulner-
abilities and exploit them (Qbea’h et al., 2016). This software is frequently used
by ethical hackers to perform penetration tests on a website (Qbea’h et al., 2016).
4. Exploitation
During this stage, the attacker could use the delivered payload to exploit some
vulnerability in a system. This could be the activation of malware through the
clicking of a link or email attachment. Other exploitations may focus on the
software, hardware or human vulnerabilities of a system. An attacker may do this
by exploiting something called a zero day exploit. A zero day vulnerability is a
security flaw in software that was probably introduced during the development of
a system and has since gone unnoticed. These occur when none-core functionality
is built into a system, thus meaning there is potentially erroneous code that is
never discovered and therefore never patched. This can create a back-door or
weakness an attacker could exploit.
When it comes to preventing this, there a few controls and practices that are used
in companies today. One highly exercised practice is user awareness training and
email testing for employees. It is argued that training can be helpful to make
employees aware of the security consequences associated with their daily actions
but unless their is a healthy security culture within an organisation, this training
ultimately fails. Chia et al explore the security culture within two organisations,
drafting improvements based off their comparison (Chia et al., 2002). This paper
helps prove the requirement for ethical hacking as it explains having technically
skilled staff can help promote a positive security culture within the workplace.
5. Installation
The installation stage describes how an attacker may install malware into a system
to do further damage or provide a gateway for other attacks (Lockheed-Martin,
2015). The installation of malware is often buried within another attack such a
Reg: 100178077 14
CMP-6013Y
Distributed Denial of Service (DDOS) or SQL injection attack. When installing
malware into the system, attacker will usually seek to install some kind of back-
door to allow them to extract data even after the attack is over. The project will
teach users how to insert scripts onto a database by using a stored Cross-Site
Scripting technique. This is a technique that is commonly used to run scripts
on unaware users. Harkins and Freed discuss how ransomeware such as ’Wan-
naCry’ installs itself across a network and can be used to plague healthcare sys-
tems (Harkins and Freed, 2018).
As discussed by Cameron, these types of attacks are actually quite simple to pre-
vent. Carrying out frequent malware scans and testing can help spot any malware
that is installed on the system (Cameron, 2017). Additionally, these types of at-
tacks tend to exploit known bugs in the software, making sure software is up to
date can help reduce the amount of vulnerability of a system.
6. Command & Control
Once the attacker has installed malware, they may use it to manipulate the target’s
system. As long as the attacker can create a channel of communication between
them and the victim, they can control the target (Lockheed-Martin, 2015). An
example of this is where an attacker stores a script in a web page that redirects
users to another page. The attacker can then use software called BeEF to capture
the users browser and enslave it (Unknown, 2019). From here, the attacker could
use the victim’s machine as the source of further attacks or even to execute a
DDOS attack if they had enough captured users. This is another tool that is also
used by ethical hackers to test a clients physical, technical and human security
measures. Training can help employees spot Cross-Site Scripting vulnerabilities.
7. Actions On Objectives
This stage describes how an attacker may use techniques such as SQL Injection to
damage or destroy the system from within, corrupting or deleting data, collecting
personal information or just destroying systems (Lockheed-Martin, 2015). SQL
Injection could be used to drop tables and harm a database, therefore it is impor-
tant that the aim of the project is to teach users about the dangers of the techniques.
Reg: 100178077 15
CMP-6013Y
4.5. Similar Systems
After conducting some research I found the following sites:
1. HackThisSite.org
This site is well-established as a platform similar to the one I wish to create.
The site is set up to be hacked by users who intend to practice their skills. It also
offers information to beginners and provides tutorials for users to follow. This site
is a good reference point as it is proof of concept and will provide some healthy
competition to my project.
2. Hack-Yourself-First.com
This site is an example of a safe target site that users can visit and attempt to
hack. The site can be hacked and visibly changed. As stated on the site, it will
reset every so often to allow users to have another go.
My project will include a similar feature that allows the website to be restored to
its former state.
After looking at these sites, I built a similar systems matrix to compare the different
features. This matrix was then updated when the project was completed. Please see
Appendix B.
5. Projection Design & Planning
5.1. Architecture and Environment
The project will be delivered in a web based solution. The following technologies have
been used to develop the project which has been split into two sections.
Main Site
The first section is the main site; this site will hold the tutorials and law library for
users to explore. This will act as the main user interface. This site will be built using a
combination of HTML, CSS, Python and JavaScript.
Reg: 100178077 16
CMP-6013Y
HTML - Hyper Text Mark-up Language (HTML) is the standard mark-up language
used to create web pages (w3Schools, 2019). A HTML page consists of multiple HTML
elements that are represented by tags such as <body>. I used this to create the majority
of the files for the main website.
CSS - Cascading Stylesheets (CSS) is used to style and layout HTML documents.
CSS can be used to change the font, colour and size of many HTML elements by assign-
ing them an id or class (tutorialspoint, 2019). Styling can be done inside the HTML
tag; this is called in-line styling. Most of the styling for the project is done by creating
external style sheets that are referenced by the relevant pages.
Python - Python is a high-level, object oriented programming language that has
built in data structures (Python-Software-Foundation, 2019). I used Python to render
each html page as a template and create other functions to manipulate the website.
Flask - Flask is a web framework extension for python, used to render the main
website pages and introduce inheritance into the HTML files using code blocks. (Flask,
2019).
JavaScript - JavaScript (JS) is a lightweight interpreted programming language that
is used to manipulate web pages and web applications. JavaScript can directly change
HTML elements and can be used to build more complex programming functions (web
docs, 2019). JavaScript is used on both sites to increase functionality and responsive-
ness.
Demonstration Site
The second section of the project is the demonstration site. This site is extremely ba-
sic but holds the functionality for users to test SQL Injection and Cross-Site Scripting
techniques. This site also uses HTML, CSS and JavaScript. However, to implement the
functionality required for these techniques, the site also uses PHP.
Reg: 100178077 17
CMP-6013Y
PHP - PHP (Hypertext Preprocessor) is a widely used open source scripting lan-
guage that is used to hold and use HTML (php, 2019b). I use PHP for the demonstration
website to load HTML as well as run code to connect and manipulate the database.
Database
Attached to the demonstration site is a database that holds mock data for the users to
manipulate. This database is built using MySQL and can be managed by PHPMYAd-
min. I use a PHP package called MySQLi to connect and manipulate the database from
the website.
MySQL - MySQL is an open-source relational database management system that is
used to build databases using a version of SQL(Structures Query Language) (MySQL,
2019). I will be build and run a local instance of a MySQL Database to add hacking
vulnerabilities to the demonstration website.
MySQLi - To connect the website to the database I have used an PHP extension
called MySQLi. This extension contains functions used to establish connections to a
database and run SQL queries. (php, 2019a).
5.2. Time Management
During the initial planning stage I created a Gantt chart to outline the schedule and pace
of the project. This Gantt chart has since changed as the project developed and I had to
make changes to the design and structure of the project. Please see the Appendix 22 for
the revised Gantt Chart. The previous versions of the Gantt chart can be found in the
supporting material.
5.3. Requirement Specification
Using the MoSCoW analysis technique, the following requirements the Ethical Hack-
ing Trainer have been derived. The ’musts’ are features the website requires on a fun-
damental level. The ’shoulds’ provide some stronger foundations for the website whilst
Reg: 100178077 18
CMP-6013Y
the ’coulds’ are additional features that could be added if there is enough time in the
project. The ’won’ts’ are features that the website simply will not have either due to
time constraints or scope.
Must
• Teach users at least 3 ethical hacking techniques
• Teach users the legal and ethical issues surrounding hacking
• Have ’Hackable’ elements to site such as forms and databases
• Have a method of resetting the website to its original state
Should
• Be easy to use for all levels of user
• Provide users with basic understanding of the use of ethical hacking
• Provide feedback to users that are practising their hacking skills
Could
• Have a user log-in system
• Score users on their activities
• Allow users to compete in leader boards
• Have hidden tasks for experienced users
Won’t
• Allow the entire site to be hacked
• Provide the level of training required to become a fully qualified ethical hacker
Reg: 100178077 19
CMP-6013Y
5.4. Navigation and Site Map
5.4.1. Site Map
Following the design of the Lo-Fi and Hi-Fi designs, I have created a visual site map to
give an idea of the websites structure as seen in Figure 1.
Figure 1: Site Map
5.4.2. Wire Frames
To plan how the website might look, I created some wire frame digram that outline the
initial design of the site. These diagrams can be found in Appendix C.
5.5. Branding and Identity
5.5.1. Branding Scheme
The designs and website will follow the branding scheme seen in Figure 2. This scheme
highlights the key fonts and colours my website will be uses.
Reg: 100178077 20
CMP-6013Y
Figure 2: Branding Scheme
5.6. Database Design
5.6.1. Entity Relationship Diagram
Below is the entity relationship diagram for the initial demonstration database (Figure
3). However due to time and functional constraints, it was better to just implement the
customers and reviews tables.
Reg: 100178077 21
CMP-6013Y
Figure 3: Bank Entity Relationship Diagram
6. Implementation
6.1. Implementation Decisions
Design
Whilst the majority of the website matches the initial design, I have made a few changes
in response to issues that arose as the project developed. I changed the demonstra-
tion buttons on the tutorial page from 3 separate buttons to one button that links to
the demonstration site as all techniques can be practised in one place. The entire site
matches the colour scheme proposed by the initial branding scheme with one small
change the dark blue colour text#0984E3 to #239af6. This change was made due
Reg: 100178077 22
CMP-6013Y
to visibility issues when paired with black font.
Cross Site Request Forgery
While learning how to to use Cross-Site Request Forgery techniques, it became clear
that it would not be appropriate to include a tutorial or demonstration exercise on this
techniques as it would present users with serious security risks. The problem with im-
plementing a web-page where users can practice CSRF is there would be no way to
ensure users were not in any real danger. For example, if somebody was to create a
script that transfers money between bank accounts and store it on the demonstration
site, an unsuspecting user who has their online banking page open in another tab could
visit the demonstration site and be targeted by the script. Although the database could
be frequently reset, I would not be able to implement a system that guarantees the user’s
system with the current time-frame or my current experience and knowledge of hacking
techniques.
Reconnaissance Tutorial
To answer the problem of being one tutorial down, I decided to implement a different
tutorial that teaches users the first step of ethical hacking. As found in the research in
the literature review, the first step any hacker will take when attacking a website is to
scout it out. I felt it was important to teach the users the skills needed to do this as it is
a fundamental skill of ethical hacking. It also helps relate to the other tutorials as it is
during the reconnaissance stage where hackers might discover a potential SQL Injection
or XSS vulnerability.
Database Implementation
As discussed previously in the database design section, I decided to only implement
two tables into the database to begin with as this was all that was necessary to deliver
the required functionality of the demonstration site. This is something that could be
reviewed in the future if the project was to expand.
Reg: 100178077 23
CMP-6013Y
6.2. Website Features and User Interaction
The following section provide a discussion of the different features that have been im-
plemented into the website.
6.2.1. Disclaimer
This project is largely based on the teaching and practising of ethical hacking tech-
niques. There are both ethical and legal implications that factor into the website if it
were to be made live. For the purpose of the project, the website will be hosted locally.
Following discussions and meetings with Dr Paul Bernal, an Internet Law lecturer at
UEA, I decided there was still the need for a disclaimer to warn users of the legal impli-
cations of computer crime and more specifically hacking. So I drafted a short disclaimer
message which reads:
"The techniques taught on this site are strictly for the purpose of ethical hacking.
Using any form of hacking techniques on a website without the permission and authori-
sation of the website owner and all other parties is a crime and is in no way condoned
by this site. You may practice these techniques within a safe and controlled environment
such as the demonstration website that can be found on the tutorial page. By clicking
’OK’ you understand that the use of such techniques without authorisation is illegal and
is not condoned by this site."
This message will appear as a pop-up window every time the homepage of the site is
loaded. The user is required to click the ’OK’ button to proceed to the site.
6.2.2. Homepage
The homepage features a very simple design, created to maximise the usability of the
site. At the top of the page is the Navigation Bar that can be seen across all the other
pages. The homepage as 3 main sections of text which provide insight into what the site
is about.
Reg: 100178077 24
CMP-6013Y
6.2.3. Tutorials
The Tutorials page consists of a grid menu that has an option for each type of attack and
a button that opens the demonstration website. The grid menu is clear and matches the
colour scheme set out in the design phase. The menu was designed to be simple and
easy for the user to navigate to the correct tutorial.
As covered in the literature review, the best way of learning is through practice. All
tutorials will closely relate to the demonstration page to allow users to practice what
they are learning as they learn in a familiar and secure environment.
A lot of research went into looking at similar systems and comparing tutorials to as-
sess which parts are successful or not. I looked at multiple tutorials for Reconnaissance,
SQL Injection and XSS to ensure I compiled the best parts of each to develop an ac-
curate, effective and usable tutorial to the user. This research proved itself to be time
consuming and caused delays to the project. As discussed later, I had to make some
implementation sacrifices to account for this lost time.
6.2.4. Reconnaissance
The first step any hacker takes when wanting to attack a target website is to reconnais-
sance on the target. I made this tutorial as a way of introducing the user to ethical
hacking. The tutorial starts off by teaching the user how to use the Who-is protocol to
discover the IP address and other information about the target. Once the user knows
how to find the targets IP address they can then learn how to further investigate this to
find out more information such as the DNS servers used by the target and the web-based
technologies the target is running. Finally, the tutorial teaches users how to inspect el-
ement and use the browser debugger menu to find vulnerabilities and understand the
architecture of the target website.
6.2.5. SQL Injection
The SQL Injection tutorial is broken into sections that go from the basics of SQL all the
way up to advanced SQL Injection techniques. The tutorial introduces what SQL is, then
it covers the basic syntax of SQL. This is designed to target new users with little to no
Reg: 100178077 25
CMP-6013Y
previous knowledge of SQL. Once the basics have been covered, the tutorial introduces
key principles needed to bypass an authentication system, with constant references to
the demonstration page to enable users to practice what they are learning. After the
user has learned how to bypass the login form, they are taught how to exploit ’GET’
methods by injecting SQL into the Uniform Resource Locator (URL).
6.2.6. Cross Site Scripting (XSS)
The Cross-Site Scripting tutorial starts of by teaching users the basics of JavaScript as
it is core to XSS. Once users have established the basics, they can learn how to exploit
reflected XSS vulnerabilities in the site. They can practice reflected XSS on the review
page of the demonstration website. The other form of XSS they can learn is stored
XSS; this exploits text that is stored and loaded on the web-page. By teaching both
reflected and stored XSS; users can learn the difference between client-side and server-
side attacks.
6.2.7. Database Implementation
The database behind the ’Smart Bank’ website was build using MYSQL and managed
in PHPMyAdmin. Due to the time constraints of the project, I made the decision to
limit the implementation of that database to its core functionality to allow me to focus
more time and resources on research and writing the tutorials. Therefore the current
implementation is much simpler than the one proposed in the initial design. I have
condensed the database into 2 tables; customers and reviews.
The demonstration website is built using PHP so I am using an extension called
MySQLi to connect to the database and run SQL queries. Below is a snippet of the
code used to establish a connection to the server (See Figure 4).
Reg: 100178077 26
CMP-6013Y
Figure 4: MYSQLi Connection
I then used a series of SQL queries to create the Smart Bank database. An exam-
ple of the code used to create the database, tables and insert data can be found in the
resetDB.php file. One of the requirements of the project is the database must be fre-
quently reset to ensure that no harmful scripts are left running on the server and keeps
the contents of the tables appropriate and in line with the tutorials. To reset the database,
the user can click on the ’reset database’ button on the homepage. This will invoke the
resetDB.php file which resets the database in steps.
Firstly it establishes a connection the server. If successful it then drops the database
called ’smartbank’ and creates a new one with the same name. Then it connects to the
database and creates the necessary tables, once complete it populates them and closes
the connection.
6.2.8. Reconnaissance
To implement the Reconnaissance tutorial I did some research and found a few tools
that are used by ethical hackers to carry out reconnaissance in real world scenarios. I
then picked the tools that best suited the purpose of this tutorial and decided to write a
Reg: 100178077 27
CMP-6013Y
section about how to use each one and why it is effective.
To begin with I show users how to use the site: http://whois.domaintools.com/. This
site is a search engine that uses the Who-Is protocol to return public information on the
target site. This site is a great source of initial information as it tells you the IP address
of the target, the registrar information and the names of any DNS servers associated
with the website (see Figure 5).
Figure 5: Domain Tools Website
Users can then build on this information using the netcraft tool found here: https://netcraft.com.
This tool can be used to discover the web-based technologies the target website is us-
ing, such as JavaScript, PHP and MYSQL (see Figure 6). This tool is really helpful to
ethical hackers as it can help them determine what type of vulnerabilities the website
might have.
Reg: 100178077 28
CMP-6013Y
Figure 6: Netcraft tool
Then the tutorial teaches the users how to use Bing to do a reverse DNS Lookup. This
is used by ethical hackers to find a way of accessing the target through a website that
shares the same server (see Figure 7).
Figure 7: Reverse DNS Lookup using Bing
For the purpose of the tutorial I used Amazon.com as it yielded good results and the
tools would not work on the demonstration site as it hosted locally. Finally, the tutorial
covers how to use the browser debugger menu to inspect the target website’s code and
manually look for vulnerability such as forms using ’POST’ and ’GET’ methods.
Reg: 100178077 29
CMP-6013Y
6.2.9. SQL Injection
The SQL Injection element of the demonstration site can be found on index.php
which prompts the user to provide login credentials to sign into a bank account (see
Figure 8). This is the first opportunity a user has to inject SQL statements to bypass the
login. This can be done by following the SQL Injection tutorial which provides constant
references to the demonstration site.
Figure 8: Smart Bank Login Page
When the user clicks the login button, the user input will be taken from the form (see
Figure 9) and sent to the process.php file. This file contains the code to connect and
query the database. The SQL query seen in Figure 10 builds an SQL statement using
the user’s input as parameters. If the query returns a match, the user is logged in, if not,
they are redirected to index.php to try again.
Reg: 100178077 30
CMP-6013Y
Figure 9: Login Form
Figure 10: SQL Login Query
Regardless of whether the attempt was a success or not, an example of the SQL query
that was generated will be displayed to the user. I did this to help users learn what the
SQL they are entering is doing, this allows them to experiment and try to understand
what is happening. This is done by echoing the query along with the data they entered
(see Figures 11 and 12).
Figure 11: Code to echo SQL query
Figure 12: Echoing the SQL Query
Once the user has learnt how to bypass the login page by exploiting vulnerabilities in
the ’POST’ method, they are presented with a form that allows them to check their ac-
count details by re-entering their login information. Whilst they can still use techniques
taught previously, there is the potential to further exploit this form as it uses a ’GET’
method. The second half of the tutorial covers the method to do this. Using the same
Reg: 100178077 31
CMP-6013Y
SQL query as before, the information is then displayed in a table (see Figures ?? and
14).
Figure 13: Code to generate account information table
Figure 14: Account information table
The query was designed to select all columns but the table is set up to only display
four of them. This is designed to force the user into learning more about the database
and overwrite existing columns to extract additional data.
Reg: 100178077 32
CMP-6013Y
6.2.10. Cross Site Scripting Tutorial
I focused the Cross-Site Scripting practice around the review page on the demonstration
website. As there are two types of XSS that are taught in the tutorial. Firstly, the
user can practice running scripts in the age verification form. This form uses a ’GET’
request that asks the form for the user’s age. Once they enter the age and click submit,
their input will be echoed below. This will run any scripts they may have entered in
the process, making it vulnerable to reflected Cross-Site scripting. The code snippet in
Figure 15 shows how the input is retrieved and echoed.
Figure 15: Creating the age form vulnerability
As this form is using a ’GET’ request, the user can copy the URL containing their
script and send it to potential victims. This demonstrates the use of reflected Cross-
Site Scripting and helps teach users the dangers of clicking links without checking their
authenticity. The figure below shows an example of a URL generated by a simple alert
script (See Figure 16).
Figure 16: URL containing alert script
Users can then write their own scripts that could do more harmful things such as take
them to a different website or install malware. For the purpose of the project, I thought
Reg: 100178077 33
CMP-6013Y
it best not to teach users more advanced techniques as it could have legal ramifications.
To practice stored Cross-Site Scripting techniques, the users can insert scripts into the
review form. This form uses a ’POST’ method to save the users input to the database.
Users can put a script into these fields and have them saved to the database. Every time
a user clicks the ’Show Reviews’ button the website will load all the reviews from the
database, if these reviews contain a script, the browser will run them. This section of the
website demonstrates the power Cross-Site Scripting can have on unsuspecting users.
To implement stored Cross-Site Scripting I had to update the database to contain a
reviews table. This table stores the name and the comment of each review. The SQL
Statement seen in Figure 17 is used to build the reviews table.
Figure 17: SQL Statement to create reviews table
The review data from the form is added in by running the addReview.php file
which connects to the database and inserts the users input into the database (See Figure
18).
Figure 18: Adding the users input to the Review table
Reg: 100178077 34
CMP-6013Y
If the user clicks the ’Show Reviews’ button, the button will run the displayReviews.php
file which retrieves the reviews and prints them in a basic table on the page. The table
is not styled as it is not the main purpose of the scenario, its function is to hold and run
any scripts the user may have entered (See Figure 19).
Figure 19: Retrieving and displaying reviews
6.2.11. Internet Law
To implement the internet law page, I used the same theme as seen throughout the site.
A series of information blocks that splits up the legislation into sections. The technical
side of implementing this was not challenging as it was simple HTML and CSS code.
However, the amount of research behind each page is substantial. I felt it was important
to do lots of research and ensure I fully understood each legislation before I attempted to
summarise it. I feel this was necessary as it I am explaining law, misleading users about
certain laws or sections could cause confusion and issues later on. Globally, there is lots
of legislation in place to combat cyber-crime, I decided to focus my efforts towards UK
Reg: 100178077 35
CMP-6013Y
and European legalisation for now as it is the most relevant to this project.
Data Protection Act 2018
To summarise the Data Protection Act in the context of hacking and ethical hacking I
looked at the official government site as the primary source (GOV.UK, 2019b). To build
a better understanding of this act in practice I found some independent breakdowns of
the Data Protection Act to as background research on different perspectives (ICO.org,
2019) (Get-Safe-Online, 2019). This proved to be really helpful as it gave me an idea
of the type of perceptive and language I should write my summary in.
As my website focusses on teaching users techniques to help defend their own web-
sites from hacking, I decided to write the summary in a way that teaches a organisation
or business how to comply with the Data Protection Act instead of just reciting it from
the government website.
To do this, I looked at what sections of the Data Protection Act may apply to a small
organisation and summarise what they mean and how to enact them. For example: when
talking about principle 5: Personal data must not be kept longer than required, I instruct
the user that they should not keep data for longer that is necessary and should take steps
to safely delete it. I suggest a implementing a data retention policy to do this.
Computer Misuse Act 1990
The Computer Misuse Act 1990 is the most direct legalisation in dealing with cyber-
crime in the UK. To summarise it, I examined at the different parts of the acts and
summarised each section in a more readable and user-friendly way (GOV.UK, 2019a).
I tried to avoid details such as sentencing as this changes from case to case. Instead I
focused on what parts of the legislation apply to the techniques taught on the site and
how they are covered by this law. The summary highlights how the techniques taught
on this site are illegal unless you have authorisation from the target.
Reg: 100178077 36
CMP-6013Y
Freedom of Information Act 2000
The Freedom of Information Act is not directly related to hacking but I felt it was
relevant to include because it has an impact on the format of databases. The Freedom
of Information Act forces public organisations to collect data in a sensible and easily
accessible way to ensure they can fulfil information requests in time (GOV.UK, 2019c).
This inadvertently caused databases across the industry to look very similar in format,
making it easy for hackers to guess column names and re-use information gained from
previous attacks.
General Data Protection Regulation 2018
The General Data Protection Regulation (GDPR) is European legislation that is focused
around personal data collection and privacy (European-Union, 2018). After doing some
research into how the GDPR will be implemented across the European Union it became
clear that this was the reason the Data Protection Act was amended in 2018. However,
with the UK due to leave the EU I decided to include both the GDPR and the Data
Protection Act regardless of how similar they may be to ensure I give the user the full
picture.
The GDPR has a vast scope and has a broad selection of principles and rules. I took
the same approach here as I did with the Data Protection Act, aiming the summary
towards users wishing to protect its data and comply with the law. I decided to list
the key definitions as I felt these were important for understanding what is meant by
personal data and the difference between processor and controller.
Then I looked at different articles that discuss the impact and significance of the
GDPR and selected the principles that got the most attention (Burgess, 2018) (Hern,
2018). I broke up each key principle into what they are and how they should be imple-
mented.
I also felt it was important to list all of the individual rights of the user that are
granted by GDPR. The rights give a lot of power to the user but they also impact the
way organisations store and use data. Rights such as the Right of Access and the Right
to Erasure directly control how an organisation may store and format its data, crating
potential vulnerabilities in the process.
Reg: 100178077 37
CMP-6013Y
Additionally the Right to Rectification makes the organisation liable if the data they
are storing is not accurate and complete. SQL Injection attacks have the potential to
alter data, which may have legal consequences for the organisation.
To write this article I tried to find multiple perspectives of GDPR due to its contro-
versial nature, as well as the knowledge I learnt from the Internet Law module.
Convention on Cybercrime 2001
The Convention of Cybercrime was drafted by the European Council but has since be
ratified globally. The convention does not actually declare any law, instead it advises
how countries that ratify it on what behaviour classifies as illegal. This means actions
such as SQL injection and XSS are seen as crimes on a global scope, making it easier
to prosecute international cybercrime such unauthorised hacking.
To try and understand the impact of the Convention of Cybercrime I looked at some
academic literature that discussed the impact law has had on the fight against cyber-
crime as well as looking at some cases such as the Gary McKinnon, Yevgeniy Nikulin
and Lauri Love (BBC, 2019) (BBC, 2012) (Times, 2018).
Investigatory Powers Act 2016
The Investigatory Powers Act is another piece of UK legislation that is designed to fight
cybercrime. The main focus of the law is to give the UK authorities the power to inter-
cept network communications data to aid ongoing enquiries and investigations. How-
ever, the law describes what classifies as unlawful interception. As Cross-Site Scripting
and Cross Site Request Forgery techniques could be used to intercept data that is being
transmitted to and from the users, I have included this law on the site.
The law was extremely controversial and is nicknamed ’The Snoopers Charter’ due
to how invasive it can be. I thought it best to try and understand why it faced such large
backlash as well as the security vulnerability is could introduce.
Reg: 100178077 38
CMP-6013Y
6.2.12. About Page
To try and give context to the project, I developed an About Page that would provide
insight into the website. I made a grid that explains who I am, what I am developing,
where I am studying and finally why I am making the site in the first place. Although
this is not a core part of the website but I felt it was important to offer some context to
users.
6.2.13. FAQ Page
I implemented a frequently asked questions page so users can get help using the site. As
the site is not live, I drafted some example questions users may have to give an example
of what the page might look like.
6.3. Technical Issues
1. Development Environment
When I began to develop the website I had a minor issue regarding the use of In-
tegrated Development Environment (IDE) I was using. Originally I had planned
to use Visual Studio 2017 as it supports Python and web development. I chose
Visual Studio as I have previous experience using it and I had heard good reviews
from peers. However I ran into issues using the IDE on my laptop as it is quite
CPU intensive and my laptop is five years old. This slowed my progress in the
front-end development and prevented me from working away from home. I re-
covered from this issue by doing some research and asking around about other
IDEs and text editors. In the end I decided that the text editor Sublime would be
the best solution.
2. Legal Issues
As I learnt through the Internet Law module, teaching people the skills and tech-
niques needed to carry out even basic hacking techniques is a potential issue and
could be in breach of the Computer Misuse Act 1990, Section 3(A). This section
states "making, supplying or obtaining articles for use in offence under Section
Reg: 100178077 39
CMP-6013Y
1 or 3", meaning providing people with the knowledge and tools to carry out
unauthorised access to programs and computer material is illegal. If done without
due-diligence, my ethical hacking trainer could fall under section 3(A). This is a
serious issue which threatens my project. Therefore I took steps to avoid any legal
issues I could run into. Firstly my project will constantly remind users of the laws
and potential consequences surrounding hacking and will strive to promote ethi-
cal and safe practices. Secondly I contacted my Internet Law lecturer Paul Bernal
to discuss the legalities regarding my project and to help me draft a disclaimer
statement that is displayed on the landing page on the website. Users must accept
the consequences and rules of using the site. Thirdly the site doesn’t need to be
live for the purpose of the project so for the presentations and the demonstration
I will just run the website locally using the XAMPP control panel.
3. User Accounts
I had planned to implement a user account system to allow users to implement a
score system as well as allowing users to save their progress. However this would
introduce a number of problems that would complicate the project beyond its
scope. The main issue with having user accounts is requirement for an additional
database containing user credentials and potentially sensitive information. In an
environment where people are learning how to exploit and test websites to gain
access to databases, having one full of real world information would be a massive
security issue and would create legal implications with the Data Protection Act
and the GDPR. The work required to fully secure this database from hacking
techniques would be greater than what is achievable in the projects timeline.
Another issue with having user accounts saving a user’s progress is that due to the
nature of the project, it would be extremely difficult to save a user’s progress in
relation to the exercises on the demonstration pages. The demonstration website,
SmartBank was designed to simulate a bank database. Whilst users can interact
and manipulatable it as much as they wish, it will be frequently reset to ensure it
is always in a usable and presentable state. Therefore saving an individual users
progress is impossible as the database will be reset multiple times a day. The only
Reg: 100178077 40
CMP-6013Y
way to do this would be to capture the state of the database and store it for every
individual user at the time of saving. Again this would be a lot of work, which I
feel would not be achievable in the project timeline.
To conclude, although user accounts would be a great feature on the site in the
long term, for the purpose of the project it would introduce a lot of security and
implementation issues that ultimately outweigh the benefits.
4. Website and Database Hosting
For the project to be deployed publicly both the website and database would need
to be hosted on a server somewhere. I have discussed the legal issue with hosting
the website publicly but there are some issues that may come with hosting the
database as well. The techniques taught on the website, such as SQL injection
and XSS can be extended to attack anything stored on the same server as the site
or database. Therefore hosting the website and database on a public sever may
inadvertently allow users to do harm to other material stored on the server. To
solve this issue, I will run the website locally on my machine for the presentation
of the project. The database will be hosted as a local MYSQL Server and the
demonstration website will also be hosted locally using XAMPP control panel.
This means none of the data or information will be publicly available for the time
being, avoiding any legal and ethical issues.
7. Testing and Usability
7.1. Unit & Integration Testing
As the majority of the website is built using HTML and CSS, there was not many meth-
ods that needed to be testing. However, the demonstration site uses PHP scripts to
manipulate the database so I performed unit and integration tests on these files to ensure
they work as intended, see Table D in the Appendix for the results of the tests.
Reg: 100178077 41
CMP-6013Y
7.2. Black Box Validation Testing
To ensure the HTML and CSS used to build the website is secure and error free, I
carried out some validation testing. Usually I would validate my website by running
it through the W3C validator found at https://validator.w3.org/. Unfortunately this
tool does not work for the project as the validator can only check live sites, as the
project website is run locally, I searched for a different solution. After some research,
I found a Google Chrome extension that validates the current web page, available at:
https://bit.ly/2vQNwkD. Every page of the main site passed the validation test with
only a few minor warnings. These warnings are caused by the navigation menu as seen
in Figure 20
To build the responsive menu icon, I used <span> tags to create empty bars. These
tags use empty space, thus did not have anything between the open and close tag. To fix
this issue I found that using the simulates white space but does not throw any
warning messages. After making this change, I ran the validator again and it returned
without any warnings as seen in Figure 20
Figure 20: HTML validator warnings before and after bug fixes
Some of the pages on the website had a different warning concerning the additional
<head> tag I had added to allow page specific styling. Figure 21 shows the warning
being thrown by the validator. I understood why this error was being thrown as it was
causing the page to be loaded with two <head> sections in the document as the main
Reg: 100178077 42
CMP-6013Y
section is inherited from the layout.html. To fix this issue, I created another block
in the layout.html file within the <head> tag that can be used to load page specific
Stylesheets. After making this fix, I reloaded the website and the page was clear of errors
(see Figure 21).
Figure 21: HTML validator warnings before and after fixes to inheritance
I repeated this process for the demonstration site, I received no errors but a few warn-
ings on some of the pages. I fixed some of the warnings that had reasonable solutions,
some of the warnings were ignored as they interfered with the functionality if the site.
8. Evaluation
8.1. Outcome
The best way of evaluating the success of a project is to refer back to the MoSCoW
analysis and compare it to the requirements specification, assessing which elements are
met or not. I feel for the project to be a success, all the "Musts" requirements must
have been fulfilled. To check if the project has a good level of usability the majority of
the "Shoulds" should have also been complete. Additionally some "Coulds" could be
completed but are not required for overall success. To assess the success of the project
I created a table that shows the overall outcome of the project. As the table shows all of
the "Musts" and "Coulds" have been complete, therefore I consider the project a success.
Reg: 100178077 43
CMP-6013Y
With that said, the overall look and feel of the website is not what I had hoped, and there
are elements of the website I had wanted to implement .As I came to better understand
the scope of the project I realised it was more about proving the concept that a site can
both teach and practice than it was teaching lots of advanced techniques. The amount
of research I have put into creating the tutorials and law library was greater than I had
accounted for, meaning the project went off schedule and sacrifices had to be made.
Priority Requirement Complete (Y/N)
Musts
Teach users at least 3 ethical hacking techniques Y
Teach users the legal and ethical issues surrounding hacking Y
Have ’Hackable’ elements to the site, such as forms and databases Y
Have a method to reset the website to its original state Y
Shoulds
Be easy to use for all levels of users Y
Provide users with basic understanding of the use of ethical hacking Y
Provide feed to users that are practising their hacking techniques Y
Coulds
Have a user log-in system N
Score users on their activities N
Allow users to complete in leader broads N
Have hidden tasks for experienced users N
Completion of the project notebook is another area open for improvement. As I am
unfamiliar with note keeping and it is not common practice for me to keep a notebook,
I have had to adapt to this working style. I do see value in keeping regular notes on
projects and will utilise this skill going forward in future endeavours.
Despite this, the project completed what it set out to do and I have delivered a website,
that is both user friendly and educational, on time and as planned. Going forward there
are areas of the site that could be expanded and improved but this is covered in the
Future Work section.
8.2. Future Work
The first thing that could be improved on the project is the demonstration site. In its
current state the demonstration site is functional but not as user friendly as I had planned.
Reg: 100178077 44
CMP-6013Y
I would improve this by adding better styling and content to the "Smart Bank" website.
Interactive parts of the site such as the review table displayed by the ’Show Reviews’
button could be styled to display the data in a clearer and more user friendly way.
I would like to continue adding tutorials and laws to the main website to cover a much
broader area of ethical hacking, with the hopes it could eventually be used to teach all the
skills required to complete the "Certified Ethical Hacker" course. This would require me
to put more time and resources into learning new techniques myself, which is another
thing I would like to do in the future. As the website grows I would need to expand the
database to accommodate for the increase in vulnerabilities. I imagine the end result
would be close to what I had planned in the initial Entity Relationship Diagram.
Finally, I would like to add a user account system that allows users to log-in and
receive score based feedback when practising techniques on the demonstration page.
This was something hinted at by the "Coulds" section of the requirement specification
but I was unable to complete within the project timeline.
9. Conclusion
The aim of the project was to create a website that allows users to learn about the impor-
tance of ethical hacking and explore potential legal ramifications that may be triggered
by this practice. The tutorials and demonstration website offer a secure and effective
way for users to learn techniques that are commonly used by ethical hackers on a daily
basis. Overall I feel the project has been a success as I have met all the requirements I
had set out to achieve and I have learnt a lot about time management and project devel-
opment over the course of the project. The delivered website give users the opportunity
to follow tutorials and then practice what they have learnt on the available demonstration
site. The law library offers context and guidance to users wishing to use these skills.
I am satisfied bye the project I have delivered and feel that it provides users with the
some of the tools and knowledge required to enter into the field of ethical hacking. My
website successfully teaches and demonstration ethical hacking techniques, while also
providing some of the background legal knowledge neccassary to safely practice ethical
hacking.
Reg: 100178077 45
CMP-6013Y
References
BBC (2012). Hacker gary mckinnon will not face uk charges. https:// www.bbc.co.uk/
news/ uk-20730627 .
BBC (2019). Lauri love: Alleged hacker loses legal fight over seized pcs. https:// www.
bbc.co.uk/ news/ uk-england-suffolk-47290438.
Burgess, M. (2018). What is gdpr? the summary guide to gdpr compliance in
the uk. https:// www.wired.co.uk/ article/ what-is-gdpr-uk-eu-legislation-compliance-
summary-fines-2018on/ .
Cameron, D. (2017). todays-massive-ransomware-attack-was-mostly-preventable-
heres-how-to-avoid-it. https:// www.gizmodo.com.au/ 2017/ 05/ todays-massive-
ransomware-attack-was-mostly-preventable-heres-how-to-avoid-it/ .
Chia, P., Maynard, S., and Ruighaver, A. (2002). Understanding organizational security
culture. Proceedings of PACIS2002. Japan, 158.
European-Union (2018). General data protection regulation. https:// eugdpr.org/ the-
regulation/ .
Flask (2019). What is flask? https:// pymbook.readthedocs.io/ en/ latest/ flask.html .
Get-Safe-Online (2019). Data protection act. https:// www.getsafeonline.org/
businesses/ data-protection-act/ .
GOV.UK (2019a). Computer misuse act act. https:// www.legislation.gov.uk/ ukpga/
1990/ 18/ contents/ .
GOV.UK (2019b). Data protection. https:// www.gov.uk/ data-protection.
GOV.UK (2019c). Freedom of information act. https:// www.legislation.gov.uk/ ukpga/
2000/ 36/ contents.
Harkins, M. and Freed, A. M. (2018). The ransomware assault on the healthcare sector.
Reg: 100178077 46
CMP-6013Y
Hartley, R. D. (2015). Ethical hacking pedagogy: An analysis and overview of teaching
students to hack. https:// eds.a.ebscohost.com/ eds/ pdfviewer/ pdfviewer?vid=3&sid=
f4521a05-6538-4da1-b5ee-fc16fa479c7a%40sdc-v-sessmgr03.
Hern, A. (2018). What is gdpr and how will it affect you? https:// www.theguardian.
com/ technology/ 2018/ may/ 21/ what-is-gdpr-and-how-will-it-affect-you.
Hospelhorn, S. (2018). What is the cyber kill chain and how to use it effectively. https:
// www.varonis.com/ blog/ cyber-kill-chain/ .
ICO.org (2019). Guide to data protection. https:// ico.org.uk/ for-organisations/ guide-to-
data-protection/ .
Lehrfeld, M. and Guest, P. (2016). Building an ethical hacking site for learning and
student engagement. In SoutheastCon 2016, pages 1–6.
Lockheed-Martin (2015). Gaining the advantage. https:// www.lockheedmartin.com/
content/ dam/ lockheed-martin/ rms/ documents/ cyber/ Gaining_the_Advantage_
Cyber_Kill_Chain.pdf .
MySQL (2019). What is mysql? https:// dev.mysql.com/ doc/ refman/ 8.0/ en/ what-is-
mysql.html .
Ohlhorst, F. (2019). 10 notorious hackers who went to work for ’the man’. https:
// www.eweek.com/ security/ nicholas-allegra-comex .
Olson, P. (2012). Exploding the myth of the ’ethical hacker’. https:
// www.forbes.com/ sites/ parmyolson/ 2012/ 07/ 31/ exploding-the-myth-of-the-ethical-
hacker/ #6e619e6c33ea.
Pashel, B. A. (2006). Teaching students to hack: ethical implications in teaching stu-
dents to hack at the university level.
Patil, S., Jangra, A., Bhale, M., Raina, A., and Kulkarni, P. (2017). Ethical hacking: The
need for cyber security. In 2017 IEEE International Conference on Power, Control,
Signals and Instrumentation Engineering (ICPCSI), pages 1602–1606.
Reg: 100178077 47
CMP-6013Y
php, n. (2019a). Overview of mysqli. https:// www.php.net/ manual/ en/ mysqli.overview.
php.
php, n. (2019b). What is php. https:// www.php.net/ manual/ en/ intro-whatis.php.
Pike, R. E. (2013). The “ethics” of teaching ethical hacking. https:
// eds.a.ebscohost.com/ eds/ pdfviewer/ pdfviewer?vid=0&sid=eb167c2a-b0d0-
4187-b94c-011ede30ec89%40sessionmgr4009.
Porter, R. (2016). A brief history of the word “hacker”. https:// openmedia.org/ en/ brief-
history-word-hacker/ .
Python-Software-Foundation (2019). What is python? executive summary. https://
www.python.org/ doc/ essays/ blurb/ .
Qbea’h, M., Alshraideh, M., and Sabri, K. E. (2016). Detecting and preventing sql
injection attacks: A formal approach. In 2016 Cybersecurity and Cyberforensics
Conference (CCC), pages 123–129.
Schulte, S. R. (2013). Cached: Decoding the Internet in Global Popular Culture. NYU
Press.
Simpson, M. T. (2012). Hands-on Ethical Hacking and Network Defense. Course
Technology PTR.
Times, N. Y. (2018). Russian accused of hacking u.s. technology firms is ex-
tradited. https:// www.nytimes.com/ 2018/ 03/ 30/ world/ europe/ russian-hacker-us-
czech-republic.html .
Trabelsi, Z. and Ibrahim, W. (2013). Teaching ethical hacking in information security
curriculum: A case study. In 2013 IEEE Global Engineering Education Conference
(EDUCON), pages 130–137.
tutorialspoint (2019). What is css. https:// www.tutorialspoint.com/ css/ what_is_css.htm.
Unknown (2019). The browser exploitation framework. https:// beefproject.com/ .
Reg: 100178077 48
CMP-6013Y
w3Schools (2019). Html introduction. https:// www.w3schools.com/ html/ html_intro.
asp.
Wang, Y. and Yang, J. (2017). Ethical hacking and network defense: Choose your best
network vulnerability scanning tool. In 2017 31st International Conference on Ad-
vanced Information Networking and Applications Workshops (WAINA), pages 110–
113.
web docs, M. (2019). Java script. https:// developer.mozilla.org/ en-US/ docs/ Web/
JavaScript .
Yevdokymenko, M., Mohamed, E., and Onwuakpa, P. (2017). Ethical hacking and pen-
etration testing using raspberry pi. In 2017 4th International Scientific-Practical Con-
ference Problems of Infocommunications. Science and Technology (PIC S T), pages
179–181.
A. Gantt Chart
Reg: 100178077 49
CMP-6013Y
Proj
ects
ched
ule
show
nfo
re-v
isio
nw
eek
num
bers
and
sem
este
rwee
knu
mbe
rs
89
1011
1213
1415
1617
1819
2021
2223
2425
2627
2829
3031
3233
3435
3637
3839
4041
12
34
56
78
910
1112
CB
12
34
56
78
9E
B10
1112
1314
Proj
ectp
ropo
sal
Pro
ject
Pro
posa
lSub
mis
sion
Lite
ratu
rere
view
Lite
ratu
reR
evie
wSu
bmis
sion
Des
ign
SQL
Inje
ctio
n
Pro
gres
sR
epor
tSub
mis
sion
Cro
ssSi
teSc
ript
ing
Rec
onna
issa
nce
Test
ing
Proj
ectP
ortf
olio
Pro
ject
Port
folio
Subm
issi
on
Pres
enta
tion
Prep
arat
ion
Pre
sent
atio
n
Figure 22: Project Gantt chart
Reg: 100178077 50
CMP-6013Y
C. Wire Frame Designs
Figure 24: wire-frame design for the home page
Figure 25: wire-frame design for the tutorials page
Reg: 100178077 52
CMP-6013Y
Figure 26: wire-frame design for the internet law page
Figure 27: wire-frame design for the about page
Reg: 100178077 53
CMP-6013Y
Figure 28: wire-frame design for the frequently asked question page
D. Testing Results
Reg: 100178077 54
CMP-6013Y
Function/File Task Description Pass(Y/N)
process.php
Connect to ’smartbank’ database Y
Query database using input values Y
If match is found, user is redirected to ’smartBankHome.php’ Y
If no match is found, user is redirect to ’index.php’ Y
The SQL statement is echoed to screen Y
accountInfo.php
Connect to ’smartbank’ database Y
Query database using input values Y
Returns id, firstname, lastname and balance (if match) Y
addReview.phpConnect to ’smartbank’ database Y
Adds user input to database ’reviews’ table Y
displayReviews.php
Connect to ’smartbank’ database Y
Select all reviews from database ’reviews’ table Y
Display reviews in table on reviewPage.php Y
resetDB.php
Connect to server Y
Drop ’smartbank’ database Y
Create new ’smartbank’ database Y
Connect to ’smartbank’ database Y
Create ’customers’ table Y
Create ’reviews’ table Y
Insert data into ’customer’ table Y
Insert data into ’reviews’ table Y
Load login page ’index.php’ Y
Table 1: Unit Test Results
Reg: 100178077 55