Faisal Ahmed | MD. Shafiur Rahman | MD. Nafizur Rahman Bhuiya | Maisa Tarannum Srizee | Naima Nawar Achol

This repository contains the penetration testing report for the TechEcommerce Project. The Zero Day Defenders group conducted this testing as part of the Ethical Hacking course (CSE496, Fall 2024). The project aimed to find vulnerabilities, test weaknesses, and suggest methods to secure the application.

To run this project, follow these steps to set it up on your computer.

• Operating System: Windows, macOS, or Linux
• Software: XAMPP (to set up the development environment)
• Disk Space: At least 200 MB of free space
• Access: Internet connection for downloading the files

1. Download XAMPP:

   • Get XAMPP from the official website.
   • Install it by following the prompts.

2. Set Up the Project:

   • Open the htdocs folder in your XAMPP installation directory.
   • Download the project files from the Releases page.
   • Move the downloaded files into the htdocs folder.

3. Create the Database:

   • Since there are no .sql files included, you will need to create the database manually.
   • Open phpMyAdmin at http://localhost/phpmyadmin.
   • Create a new database with the name tech_ecommerce.
   • Manually add tables and data as per the specifications in the report.

To download the latest version of the penetration testing report, visit this page:

Download the latest release

The report includes a detailed analysis of various attacks found during testing.

1. SQL Injection: This attack exploits vulnerabilities in the application's database logic.
2. Data Tampering: Unauthorized modifications of data occurred.
3. Replay Attack: Attackers could resend previous valid data.
4. Brute Force: Weak passwords were cracked by repeated guessing.
5. Data Disclosure: Sensitive information was exposed.
6. Insider Attack: Internal users misused their access rights.
7. IDOR: Insecure Direct Object Reference weaknesses were found.

The report also covers attempts that did not succeed, providing insights into the application's strengths.

To safeguard your application, consider implementing these measures:

1. Use Prepared Statements: This helps prevent SQL injection attacks by separating SQL code from data.
2. Implement Strong Password Policies: Encourage complex passwords and consider multi-factor authentication.
3. Validate User Input: Always check and sanitize user inputs to prevent data tampering.
4. Monitor User Activity: Keep track of user actions to catch internal misuse early.
5. Conduct Regular Security Audits: Regular checks can identify new vulnerabilities over time.

For more in-depth understanding, here are some topics you may find useful:

• Basic Penetration Testing Techniques
• Brute Force Attacks
• CSRF Attacks
• Ethical Hacking Principles
• Hashing Passwords Safely
• IDOR Attack Prevention
• Man-in-the-Middle Attack Defense
• Prepared Queries for Enhanced Security
• Replay Attack Techniques
• SQL Injection Attacks
• XSS Attacks and Mitigation

Feel free to explore the project and apply the lessons learned to enhance the security of your applications.