{"id":27993970,"url":"https://github.com/ahmeddwalid/softsecproj","last_synced_at":"2025-05-08T19:04:50.649Z","repository":{"id":270868513,"uuid":"911702175","full_name":"ahmeddwalid/SoftSecProj","owner":"ahmeddwalid","description":"Software Security Milestone 2 project","archived":false,"fork":false,"pushed_at":"2025-01-03T21:16:45.000Z","size":2972,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-08T19:04:29.626Z","etag":null,"topics":["burpsuite","java","kali-linux","metasploitable","secure-coding","sql-injection","sqldatabase","xss-attacks"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ahmeddwalid.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-03T16:35:33.000Z","updated_at":"2025-01-03T21:16:48.000Z","dependencies_parsed_at":"2025-01-03T23:45:42.759Z","dependency_job_id":null,"html_url":"https://github.com/ahmeddwalid/SoftSecProj","commit_stats":null,"previous_names":["ahmeddwalid/softsecproj"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ahmeddwalid%2FSoftSecProj","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ahmeddwalid%2FSoftSecProj/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ahmeddwalid%2FSoftSecProj/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ahmeddwalid%2FSoftSecProj/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ahmeddwalid","download_url":"https://codeload.github.com/ahmeddwalid/SoftSecProj/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253133133,"owners_count":21859111,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["burpsuite","java","kali-linux","metasploitable","secure-coding","sql-injection","sqldatabase","xss-attacks"],"created_at":"2025-05-08T19:04:49.967Z","updated_at":"2025-05-08T19:04:50.628Z","avatar_url":"https://github.com/ahmeddwalid.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n\n\n\u003cdiv id=\"top\"\u003e\u003c/div\u003e \u003ch2 align=\"center\"\u003eSoftware Security Project\u003c/h2\u003e \u003ch3 align=\"center\"\u003eAhmed Walid\u003c/h3\u003e \u003ch3 align=\"center\"\u003eAhmed Mohamed\u003c/h3\u003e \u003ch3 align=\"center\"\u003eAlSayed Aly\u003c/h3\u003e \u003ch3 align=\"center\"\u003eOmar Shereif\u003c/h3\u003e \n \u003cp align=\"center\"\u003e \n Software Security Project \n \u003cbr /\u003e \n \u003ca href=\"https://github.com/ahmeddwalid/SoftSecProj/blob/main/README.md\"\u003e\u003cstrong\u003eExplore the docs »\u003c/strong\u003e\u003c/a\u003e \n \u003cbr /\u003e \n \u003cbr /\u003e \n \u003ca href=\"https://github.com/ahmeddwalid/SoftSecProj/issues\"\u003eReport Bug\u003c/a\u003e \n · \n \u003ca href=\"https://github.com/ahmeddwalid/SoftSecProj/pulls\"\u003eRequest Feature\u003c/a\u003e \n \u003c/p\u003e \n\u003c!-- TABLE OF CONTENTS --\u003e\n\n\u003cdetails\u003e \n \u003csummary\u003eTable of Contents\u003c/summary\u003e \n \u003col\u003e \n \u003cli\u003e \n \u003ca href=\"#about-the-project\"\u003eAbout The Project\u003c/a\u003e \n \u003c/li\u003e \n \u003cli\u003e\u003ca href=\"#features\"\u003eFeatures\u003c/a\u003e\u003c/li\u003e \n \u003cli\u003e\u003ca href=\"#contributing\"\u003eContributing\u003c/a\u003e\u003c/li\u003e \n \u003cli\u003e\u003ca href=\"#license\"\u003eLicense\u003c/a\u003e\u003c/li\u003e \n \u003cli\u003e\u003ca href=\"#contact\"\u003eContact\u003c/a\u003e\u003c/li\u003e \n \u003cli\u003e \n \u003ca href=\"#acknowledgments\"\u003eAcknowledgments\u003c/a\u003e \n \u003c/li\u003e \n \u003c/ol\u003e \u003c/details\u003e\n\n\u003c!-- ABOUT THE PROJECT --\u003e \n\n## About The Project\n\n\u003c!-- FEATURES --\u003e\n\n### Features\n\n- **Secure** trust me bro\n\n### Part 1:\n\nVery Secure Java Project\n\nDo you really need to know more?\n\n### Part 2:\n\n#### The first step is to open METASPLOIT2 to initiate the exploitation of vulnerabilities :\n\n1. Obtain the IP address by the \"ifconfig\" command\n ![ip address](images/Picture1.png)\n2. Open the acquired Ip address in the browser and navigate to **DVWA**, select **DVWA Security**, and choose the desired security level\n ![DVWA Security Level](images/Picture2.png)\n\n#### Prepare Burp Suite as follows:\n\n1. Open the tool and press Start\n ![Start](images/Picture3.png)\n2. Target Scoping: Analyze the spidering results to identify high-value targets, such as:\n\n - User input fields in forms (e.g., login, registration, search).\n - Dynamic parameters in URLs.\n - Cookies and session-related data.\n ![Cookies](images/Picture4.png)\n Once the scope and security level are selected, proceed to:\n\n#### Vulnerability Assessment\n\n1. Reflected XSS (Levels: Easy, Medium, High)\n - Steps:\n - Enter the username and password \u003e\u003e\u003etest\n - Activate the proxy and turn \"Intercept\" on.\n - Identify the request, edit it, and send it to the repeater.\n ![Request](images/Picture5.png)\n - Send it to the repeater and insert the payload: \u003cscript\u003ealert(1)\u003c/script\u003e\n ![Payload](images/Picture6.png)\n\n- Vulnerability Exploited successfully\n ![Payload](images/Picture7.png)\n\nFor higher levels, the same methodology is repeated:\n\n- **Medium:** Payload: `\u003cSCRIPT\u003ealert(1)\u003c/script\u003e`\n ![Payload](images/Picture8.png)\n ![Payload](images/Picture9.png)\n ![Payload](images/Picture10.png)\n- **High:** Payload: `\u003cimg src=x onerror=alert(“1”)\u003e`\n\n ![Payload](images/Picture11.png)\n ![Payload](images/Picture12.png)\n ![Payload](images/Picture14.png)\n\n---\n\n2. Stored XSS\n Follow the same levels and methodology as for reflected XSS\n ![Payload](images/Picture15.png)\n ![Payload](images/Picture16.png)\n ![Payload](images/Picture17.png)\n ![Payload](images/Picture18.png)\n\n---\n\n3. Brute Force Attacks\n 1. Enter the username and password, then enable the proxy\n 2. Send the request to the Intruder, select the key (e.g., \"test\"), and press \"Add$\"\n 3. Write the payloads and start the attack\n ![Payload](images/Picture18.png)\n 4. Analyze the results: Look for changes in response length to identify the correct payload\n ![Payload](images/Picture18.png)\n\n4. SQL injection\n\n````\n1' OR '1'='1'#\n'UNION SELECT user, password FROM users --\n'UNION SELECT user, password FROM users --\n'UNION SELECT table_name, NULL FROM information_schema.tables --\n````\n![Payload](images/Picture20.png)\n![Payload](images/Picture21.png)\n![Payload](images/Picture22.png)\n\n---\n\n### **Summary**\n**List of Identified Vulnerabilities**\n1. **SQL Injection**\n - **Description:** Exploiting SQL queries by injecting malicious inputs to gain unauthorized access or manipulate the database.\n - **Potential Impact:**\n - Unauthorized access to sensitive data.\n - Data corruption or deletion.\n - Full database compromise.\n - **Recommendations:**\n - Input validation.\n - Use parameterized queries or stored procedures.\n - Restrict database user permissions.\n - Avoid exposing detailed error messages.\n\n2. **Cross-Site Scripting (XSS)**\n - **Description:** Injecting malicious scripts into web pages to affect users.\n - **Potential Impact:**\n - Session cookie theft.\n - Web page defacement.\n - Malware spread.\n - Loss of trust.\n - **Recommendations:**\n - Sanitize inputs.\n - Implement a Content Security Policy (CSP).\n - Encode user inputs.\n - Use HTTPOnly and Secure flags for cookies.\n\n3. **Brute Force Attacks**\n - **Description:** Systematic attempts to guess user credentials.\n - **Potential Impact:**\n - Unauthorized account access.\n - Exploitation of user privileges.\n - Account lockouts.\n - **Recommendations:**\n - Account lockout mechanisms.\n - Implement CAPTCHAs.\n - Enforce strong password policies.\n - Use multi-factor authentication (MFA).\n - Monitor failed login attempts.\n\n---\n\n\u003c!-- CONTRIBUTING --\u003e\n\n# Contributing\n\nAny contributions you make are **greatly appreciated**.\n\nProject Link: [https://github.com/ahmeddwalid/SoftSecProj](https://github.com/ahmeddwalid/SoftSecProj)\n\n\u003c!-- LICENSE --\u003e\n\n# License\n\nThis project is distributed under the [Apache 2.0 license](https://choosealicense.com/licenses/apache-2.0/). See\n[```LICENSE.txt```](/LICENSE) for more information.\n\n\u003c!-- CONTACT --\u003e\n\n# Contact\n\nAhmed Walid\n\n- [Email](ahmedwalid.c3301@gmail.com)\n\nAhmed Mohamed\n\n- [Email](ahmedelgeen3@gmail.com)\n\nAlsayed Aly\n\n- [Email](sayedalymadany@gmail.com)\n\nOmar Sherief\n\n- [Email](omarserif2003@gmail.com)\n\n\u003c!-- ACKNOWLEDGMENTS --\u003e\n\n# Acknowledgments\n\n* [Java Documentation](https://docs.oracle.com/en/java/)\n\n\u003cp align=\"right\"\u003e(\u003ca href=\"#top\"\u003eback to top\u003c/a\u003e)\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fahmeddwalid%2Fsoftsecproj","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fahmeddwalid%2Fsoftsecproj","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fahmeddwalid%2Fsoftsecproj/lists"}