UTS Cyber Security Problem Statement

Creating a self-hosted vulnerable web target

Last semester, I completed a Software Engineering project and wrote a Node-js app called Mastodon. It was intended to be a UTS registration portal for booking medical appointments with in-faculty medical staff or medical students, as currently the only way to book an appointment is to call a helpline, which can only be reached during business hours.

The app runs on Node.JS, with no middleware and Mongo for it’s record collection.
After researching web exploitation, and understanding that a vast majority of web-related attacks are XSS based, it has helped me formulate a plan to attack my own system using a variety of XSS attacks and tools.

This can be a strong learning experience, as the app itself was not designed for security in mind barring basic input validation. I have the advantage of knowing exactly how the application is structured internally, and in case I ever get stuck, the app will be hosted on a private VPS that I can share to the class and ask them to rip it apart. I can then check logs to see exactly what damaged they did, and potentially find out how.

Initial research has brought me to focus on 2 main tools:

• Burpsuite, which I have covered a little bit already on my Hack The Box progress
• BeEF, which is a brand new tool I have 0 experience with, and am invested to learn about.

The application was constructed after a mentor reviewed design process and Software development lifecycle, which means that this could potentially be a pretty accurate representation of a lower-tier hosted web app, such as a small time shop or blog, that hasn’t had the privilege of an experienced developer who knows how to properly secure a website.