Академический Документы
Профессиональный Документы
Культура Документы
Merideth Moore
March 25, 2019
TABLE OF CONTENTS
INTRODUCTION: .................................................................................................................................4
PREPARATION: ...................................................................................................................................5
ENGAGEMENT SUMMARY: ...................................................................................................................6
DETAILED FINDINGS: ......................................................................................................................8
RECONNAISSANCE FINDINGS: ........................................................................................................8
SCANNING FINDINGS: .................................................................................................................... 11
VULNERABILITY SCANNING FINDINGS: ...................................... 15
CONCLUSION: ........................................................... 19
APPENDIX A: CARELINE SCREENSHOTS ...................................... 20
CareLine | 2
1
INTRODUCTION
CareLine | 3
INTRODUCTION:
In a world that is dependent on technology and web
applications, cybersecurity attacks have been on the rise.
According to Positive Technologies Security, in 2017 there were
350,000 various cybersecurity attacks. Of these 350,000
attacks, web applications in the healthcare industry were the
most targeted due their confidential patient data and the
ability of hackers to hold this information for blackmail.
CareLine | 4
PREPARATION:
CareLine | 5
ENGAGEMENT SUMMARY:
During the course of 28 days, I (Merideth Moore) conducted a
penetration test to evaluate CareLine. My test began on
February 18, 2019 and concluded on March 17, 2019.
CareLine | 6
2
DETAILED
FINDINGS
CareLine | 7
DETAILED FINDINGS:
RECONNAISSANCE FINDINGS:
Screenshot 1:
CareLine | 8
As presented in Screenshot 1, I was able to immediately
uncover CareLine’s exact domain through the use of the
following queries:
Screenshot 2:
CareLine | 9
Screenshot 3:
CareLine | 10
SCANNING FINDINGS:
Screenshot 4:
CareLine | 11
Screenshot 5:
Screenshot 6:
CareLine | 12
Screenshot 7:
CareLine | 13
Lastly for Screenshots 6 and 7, upon the completion of the
scans, general information was returned on the host of the
application. As visible in Screenshot 6, I was able to gather
a “fish eye” view of the application and how it is being
hosted. Given in the screenshot, we can tell that the
application is being hosted on one singular computer with the
IP Address of 69.55.55.228. This information is important and
fairly alarming as it gives an potential in for a hacker.
Additionally, in Screenshot 7, were also able to gather
additional details on the rest of the ports and the operating
system (Not Available). This was great and showed extreme
security as the application didn’t have any major opened ports
or an operating system that could be exploited easily.
With Nmap and several commands being utilized above, A TCP scan
was conducted compared to using a UDP scan. Using a TCP scan was
desirable as it is faster compared to a UDP scan. A TCP scan can
be executed quickly and is able to scan thousands of ports in
seconds without being impeded by firewalls or other barriers.
UDP scanning is considered to be undesirable since it typically
includes sending a packet to each targeted port and this causes
it to be extremely slow in comparison to TCP.
CareLine | 14
VULNERABILITY SCANNING FINDINGS:
Screenshot 8:
CareLine | 15
In addition to attempting to get access to the application, three other
attacks were attempted against CareLine. The first attack was Cross
Site Scripting (XSS). XSS is the process of using a malicious injection
to attack the code of the web application and insert malicious code. In
this particular test, a simple injection was created and executed
against CareLine, but was not successful. The results of this test
concluded the CareLine was secure from XSS attacks.
The second attempted attack on CareLine was a SQL Injection. Just like
XSS, this is another form of utilizing malicious code to disrupt the
web application. In the case of CareLine and this test, a SQL Injection
was attempted because the primary database for CareLine is SQL. Any
potential SQL Injection that comes from outside hackers could
potentially destroy the entire web application and doing a pre-test of
this before a real occurrence is critical. As displayed in Screenshot
9, the final results of our test were that we utilized a modified SQL
Injection code and
ran this against the application. Overall, CareLine was able to
withstand the modified SQL Injection and displayed great security for
the future.
Screenshot 9:
CareLine | 16
The last and final attack that was performed was a directory traversal.
A directory traversal is a specialized Hyper Text Transfer Protocol
(HTTP) attack that allows for hackers to gain access to the critical
directories of a web application. For CareLine, the heart of the
project rests within the directories and ensuring that they are secure
is important.
CareLine | 17
3
CONCLUSION AND
APPENDIX
CareLine | 18
CONCLUSION:
Overall, this was a great and fun way to turn the last of my Senior
Project into a security project as well. I believe that the execution
and research of techniques that I was able to do was important and it
allowed for me to grow in a personal and professional sense. It was
great completing this project and I look forward to doing more of these
in my future career.
CareLine | 19
APPENDIX A: CARELINE SCREENSHOTS
Home/Marketing Page:
Caretaker Dashboard:
CareLine | 20
Patient Page:
Clinic Page:
CareLine | 21
CareLine | 22