Detailed Project Proposal Student ID: 21027855 Student Name: Muhammad Umar Shabbir
Detailed Project Proposal Student ID: 21027855 Student Name: Muhammad Umar Shabbir
Detailed Project Proposal Student ID: 21027855 Student Name: Muhammad Umar Shabbir
1
o Determine if the website's business logic contains any potential
vulnerabilities or weaknesses that might allow for unauthorized access,
privilege escalation, or other security problems.
o To make sure that third-party integrations are implemented safely and do not
pose extra risks, evaluate the security of the APIs, external services, and
payment gateways that are used.
o Determine whether the website complies with applicable industry standards
and laws, such as GDPR, PCI DSS, or HIPAA, and offer suggestions for
doing so.
o All detected vulnerabilities, their possible effects, and suggested corrective
actions should be documented. Ensure that the development team can
comprehend the findings and successfully address the risks identified by
presenting them in a clear and succinct manner.
Short description
To discover weaknesses and assure the website's resilience against future cyber
threats, the web penetration testing project on a new website entails executing a
thorough security evaluation. The project's objective is to assess many facets of the
website's security, such as data validation, secure setup, and third-party
integrations. The project will produce actionable suggestions to eliminate detected
vulnerabilities and improve the overall security posture of the website by
conducting thorough testing and analysis. The project's purpose is to guarantee that
the newly constructed website complies with industry best practices and standards
for web application security, lowering the danger of unauthorized access and data
breaches, as highlighted in the project's brief description.
Project plan
This project will contain 7 phases:
1. Developing new website:
o First of all, I will develop a website on which penetration test will be
conducted.
2. Information Gathering Phase:
o Obtain details on the website's structure, supporting technology, and
features.
o Conduct passive scouting to gather data about the website that is
readily accessible to the public.
3. Active Reconnaissance Phase:
2
o Use active reconnaissance to find open ports, spot potential entry
points, and learn more about the website by using tools like Nmap,
Burp Suite, or OWASP ZAP.
4. Vulnerability Scanning Phase:
o To find typical vulnerabilities such as out-of-date software versions,
incorrect configurations, or unsafe server settings, use automated
vulnerability scanning tools (e.g., Nessus, OpenVAS).
5. Manual Testing Phase:
o To find vulnerabilities that automated tools might have missed,
perform manual testing.
o Check online application for common flaws like SQL injection, cross-
site scripting (XSS), cross-site request forgery (CSRF), and unsecured
direct object references.
o Validate data validation, input management, and authentication and
authorization procedures.
6. Exploitation Phase:
o Exploit vulnerabilities to show what might happen if an attack is
successful.
o Check the efficiency of security controls and precautions.
7. Reporting Phase:
o Record every vulnerability that has been found, along with its impact
and severity.
o Make suggestions that are both obvious and practical for reducing the
hazards identified.