DBS401 | Database Security Final Project Requirements

Objective:

This project aims to solidify your understanding of database security principles by

allowing you to apply them in a practical setting. You will work in groups to create a
website with intentional vulnerabilities and then perform cross-audits/penetration
testing on another group's website. This exercise will simulate real-world scenarios
encountered by security professionals.

Project Deliverables:

1. Vulnerable Website:
○ Each group will develop a web application with a database backend.
○ The application should contain predefined, well-documented
vulnerabilities related to common database security issues like:
■ 2 SQL Injection (SQLi): Unvalidated user input allowing
manipulation of database queries.
■ Broken Authentication and Session Management: Weak
password policies, vulnerable session management (e.g.,
session hijacking).
■ Insufficient Database Permissions: Granting excessive
privileges to users or applications.
■ Insecure Direct Object References (IDOR): Accessing
unauthorized data due to predictable resource identifiers.
○ Documentation:
■ Provide detailed documentation outlining the implemented
vulnerabilities, their location within the code, and the expected
behavior of exploiting them.
■ Clearly state which security principles are being violated by each
vulnerability.
2. Cross-Audit/Penetration Testing Report:
○ Each group will act as penetration testers for another assigned group's
website.
○ Utilize ethical hacking techniques and tools (following responsible
disclosure practices) to identify and exploit vulnerabilities documented
by the other group.
○ Report:
■ Document the identified vulnerabilities, the exploitation methods
used, and the potential impact of each vulnerability.
■ Recommend mitigation strategies for each vulnerability based
on best practices for database security.

Evaluation Criteria:
 ● Vulnerable Website: (40%)
○ Functionality and clarity of the web application.
○ Variety and effectiveness of implemented vulnerabilities.
○ Completeness and organization of vulnerability documentation.
○ Bonus if include Modern Attack Techniques
● Cross-Audit/Penetration Testing Report: (60%)
○ Thoroughness and accuracy of identified vulnerabilities.
○ Effectiveness of exploitation methods used. Bonus if include PoC
Script
○ Comprehensiveness and clarity of the report, including potential impact
and mitigation recommendations.
○ Adherence to ethical hacking principles.

Additional Notes:

● Ensure the vulnerabilities are designed for educational purposes only and not
intended to cause any harm or data breaches.
● Choose appropriate tools and techniques for vulnerability testing, considering
responsible disclosure guidelines.
● Prior to testing another group's website, obtain written consent and clearly
communicate the ethical boundaries of the exercise.
● Document the learning process throughout the project, reflecting on the
challenges faced and the knowledge gained.

Disclaimer: This project is for educational purposes only and should be conducted
within a controlled environment with proper authorization and adherence to ethical
hacking principles. Performing these activities on unauthorized systems is illegal and
unethical.