Skip to content
/ SecureWeb Public

A project dedicated to showcasing web-app security attacks and the corresponding measures to safeguard against those attacks

0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Blakley/SecureWeb

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

52 Commits

src

src

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

Repository files navigation

SecureWeb

A project built using the Django framework. It features a demo where users can attack various login forms to understand various security measures. Additionally, the goal of this project is to encourage users to employ industry standards when designing applications with user authentication.

Login Forms :

Below is an overview of the basic security behind each login form.

[Form 1]

Login Form 1

  • No security. This login form is meant to be completely vulnerable to password spraying attacks.

[Form 2]

Login Form 2

  • In this login form, the approach used in form 1 will not work. This form rate limits client requests. If the number of requests exceed a certain threshold within a minute, the client will no longer be able to send requests to this login form. To bypass this, one could use proxies.

[Form 3]

Login Form 3

Login Form 3

  • Basic captchas were introduced in this login form. Once you make a login attempt, you then must solve a captcha before you get the login success status. Given that the logic behind how the captcha's are generated in this form, one could create a script to generate and submit them.

[Form 4]

Login Form 3

  • This login form focuses on locking out users after x amount of failed tries as opposed to blocking clients. In situations where this is the only security measure, an attacker might purposely lock out as many accounts as possible.

Utility scripts :

I have provided several python scripts that you can try out to attack each login form. Otherwise, use any tool such as Burp Suite or John the Ripper.

  1. attack.py : A script that attempts to bypass the security measures in place for each login form.

  2. monitor.py : A useful script that will continually monitor updates to the login.log file, which shows the login attempts to each login form.

  3. proxies.py : A script that creates 1500 Private IP Addresses which are then used to mimic rotating proxies in order to bypass rate limiting and IP blocking. Note, only works on Linux.

Dependenices :

Execute the following command to install the necessary modules. Note, requirements.txt is located in the src directory.

pip install -r requirements.txt

Deployment :

To start the web server, execute run the command:

python manage.py runserver

and then navigate to the SecureWeb URL

About

A project dedicated to showcasing web-app security attacks and the corresponding measures to safeguard against those attacks

Topics

django-framework owasp-top-10 password-security sqllite3

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Languages