ARE WEBSITES OF SMALL BUSINESSES HIGHLY VULNERABLE

Project Report submitted to Bharathiar University in partial fulfillment of the requirement for the
award of the Degree of
Master of Science
in
Information Security and Digital Forensics

Raja Saravanan .M
Register No: 174ID0008
Center of Excellence in Digital Forensics, Chennai

Under the Supervision and guidance of

Smt. Latha

Center for Collaboration of Industries and Institutions

Bharathiar University
Coimbatore 641046
June 2019
 CERTIFICATE

This is to certify that the project work entitled as “ARE WEBSITES OF SMALL

BUSINESSES HIGHLY VULNERABLE” submitted to Center for collaboration of

Industries and Institutions, Bharathiar University in partial fulfillment of the requirements

for the award of the Degree of Master Of Science in Information Security and Digital

Forensics is a record of the original work done by Raja Saravanan .M (174ID0008)

under my supervision and guidance and that this project work has not formed from the basis

for the award of any Degree/Diploma /Associateship/Fellowship or similar title to any

candidate of any University.

(Seal)

Signature of the Guide

Forwarded by

Director
Center for collaboration of Industries and Institutions
Bharathiar University
Coimbatore-46

Submitted for University Examination held on

Internal Examiner External Examiner

 DECLARATION

I hereby declare that this project work entitled as “ARE WEBSITES OF

SMALL BUSINESSES HIGHLY VULNERABLE” submitted to the Center for

Collaboration of Industries and Institutions, Bharathiar University is a record of original

work done by RAJA SARAVANAN .M (174ID0008) under the supervision and guidance

of Smt. LATHA and this project work has not formed the basis for the award of any

Degree/ Diploma/ Associateship /Fellowship or similar tile to any candidate of any

University.

Signature

Name : RAJA SARAVANAN.M

Register No : 174ID0008

Course : M.Sc. Information Security and Digital Forensics

CCII Center : Center of Excellence in Digital Forensics

Center code :

Place : Chennai

Date :

Countersigned by

Signature of the Guide Countersigned by the Coordinator

(With Seal) (With Seal)
 4

ACKNOWLEDGEMENTS
I take this opportunity to express my profound gratitude and deep regards to Dr. R.
Thilagaraj (Director, Center of excellence in Digital Forensics) for his blessings,
help and guidance given by time to time shall carry me a long way in the journey
of life on which I am to embark.

It takes extreme pleasure to express my everlasting thanks to my everlasting

thanks to Smt. LATHA who is my project guide, who guided throughout the project
selection till the final step of the project work and constant encouragement for the
quality of the work.
I would like to thank my teaching staff also non-teaching staff who helped me
throughout the course and guided me through success.
I extend thanks to my family members also my friends who helped me to finish
project work.

Raja Saravanan .M
 5

CONTENTS

ACKNOWLEDGEMENT

SYNOPSIS

1. INTRODUCTION

1.1 Project overview

1.2 About the Project

2. SYSTEM STUDY AND ANALYSIS

2.1 Basics about Android

2.2 Security Features of Android Devices

2.3 Design of Security Features in Android Devices

2.4 Existing Risks in Android

2.5 Impact of Security incident

2.6 Technical Feasibility

2.7 Operation feasibility

3. IMPACT OF INCIDENT

3.1 Advantages of Impact

3.2 Disadvantages of impact

 6

4. DEVELOPMENT ENVIRONMENT

4.1 Hardware Requirements

4.2 Software Requirements

4.3 Programing Environment

5. SYSTEM DESIGN AND DEVLOPMENT

5.1 Android Security Architecture

5.2 Port Forwarding with router

5.3 Creating the backdoor application

6. TECHNICAL TESTING

6.1 Testing the application

7. CONCLUSION AND FUTURE ENHANCEMENT

7.1 Conclusion

7.2 Future Enhancement

8. BIBLIOGRAPHY
 7

CHAPTER-1

1. Introduction

In this modern world every business is transitioning into the Digital platform to deliver the
services to customers in a more convenient manner. This includes even small businesses which
are competing with larger firms. However the online business world is full of threats ranging
from zero day vulnerability to SQL Injections. These attacks will cause devastating outcomes if
there is lack of security measures. Thus we shift our focus to small businesses.

Why small Business? – Because they are the most probable victims in these type of attacks.
Small Businesses have less resources and thus they are more likely to not invest in security
measures.

The idea of this project is to showcase that the websites of small businesses are highly
vulnerable, showcase some of the attacks and some counter measures that can be taken to
prevent these kind of attacks.

1.1 Project Overview

Malicious hackers are always looking for ways to target businesses, government agencies
and individuals, and they have a wide variety of methods and vectors at their disposal to attack
their targets. But naturally, they’ll always choose the channel that will enable them to deal the
most damage for the least effort. In this regard, websites and web applications have proven to be
one of the favorite targets for cyber-attack, because they’re easier to hack than, say operating
systems or networking hardware such as routers and switches, and they provide lots of
opportunities to wreak havoc across a victim’s network

1.2 About the Project

2. SYSTEM STUDY AND ANALYSIS

40
 CHAPTER-3

3. Impact of Incident

43

CHAPTER-4

4. DEVELOPMENT ENVIRONMENT

4.1. Hardware Requirements

4.2. Software Requirements

4.3. Programming Environment

44

CHAPTER-5

5. SYSTEM DESIGN AND DEVLOPMENT.

5.1.
45
 5
4

CHAPTER-6

6. TECHNICAL TESTING

6.1. Testing the application

CHAPTER-7

7. CONCLUSION AND FUTURE ENHANCEMENT

7.1. Conclusion

7.2 Future Enhancement

8. BIBLIOGRAPHY

I have done research from google also I have referred Mobile Application Security book written

by Chris Clark, David Thiel, and Himanshu Dwivedi.

These are thing which helped me to finish this project.

ABSTRACT:

INTRODUCTION:
Malicious hackers are always looking for ways to target businesses, government agencies
and individuals, and they have a wide variety of methods and vectors at their disposal to attack
their targets. But naturally, they’ll always choose the channel that will enable them to deal the
most damage for the least effort. In this regard, websites and web applications have proven to be
one of the favorite targets for cyber-attack, because they’re easier to hack than, say operating
systems or networking hardware such as routers and switches, and they provide lots of
opportunities to wreak havoc across a victim’s network

Theoretical background
A Web application can be described as a program that is developed in order to
perform specific processes. There are a bunch of technologies available today to help us
develop these applications. Some of them include Ajax, php, JavaScript’s, Perl, ASP.NET and
much more. A web application normally handles the user’s input in an external script and
performs routines. Normally, this routines includes database data collection. The final result
is return to the user depending of the type of task involved. Web application security is defined
as the methods, principles and implementation used to prevent and identify security
threats. Security can be understood as an effective measure solution against threats. A threat is
considered a malicious danger that can exploit vulnerabilities against our resources. In web
application this security weakness is the result of poor coding, mistakes in the
development and bad design techniques. However in order to code our applications in a hack-
resilient way, consider the following:-
SCOPE OF THE PROJECT:

EXISTING SYSTEM

MODULES:
  User interface design
 Author login
 Book upload
 Author view the book
 User view the book
 Author view the user list
 Admin

MODULE DESCRIPTION

 USER INTERFACE DESIGN

This is the first module of our project. The important role for the user is to move login
window to user window. This module has created for the security purpose. In this login page we
have to enter login user id and password. It will check username and password is match or not
(valid user id and valid password). If we enter any invalid username or password we can’t enter
into login window to user window it will shows error message. So we are preventing from
unauthorized user entering into the login window to user window. It will provide a good security
for our project. So server contain user id and password server also check the authentication of the
user. It well improves the security and preventing from unauthorized user enters into the
network. In our project we are using JSP for creating design. Here we validate the login user and
server authentication.

 AUTHOR LOGIN

This is the second module of our project. The important role for the author is to move
login window to user window. This module has created for the security purpose. In this login
page we have to enter login user id and password. It will check username and password is match
or not (valid user id and valid password). If we enter any invalid username or password we can’t
enter into login window to user window it will shows error message. So we are preventing from
una
Authorized user entering into the login window to user window. It will provide a good
security for our project. So server contain user id and password server also check the
authentication of the user. It well improves the security and preventing from unauthorized user
enters into the network. In our project we are using JSP for creating design. Here we validate the
login user and server authentication.
  BOOK UPLOAD

This is the Third module in our project, monthly Magazine upload the website and free
download book and pdf user access the Magazine or book used the free website the one of best
website the Magazine many author list and book list.

 AUTHOR VIEW OF THE BOOK

In this module the author view the book which is being uploaded and check whether the
uploaded book is correct or incorrect the upload the file check work the file view the author.
.
 USER VIEW OF THE BOOK

In this module the user view the book list which is being uploaded by the author. There
are different types of Magazine being uploaded. The user can choose Magazine whatever book
view or download etc.
 AUTHOR HACK THE USER DETAILS
In this module, the Author hack the user personal details and user read the file name, and
product details. Hack the author.

 ADMIN

In this module what we are going to perform means, admin view and maintain the file
details and user details.
MODULE DIAGRAMS:
 USER INTERFACE DESIGN

 AUTHOR INTERFACE DESIGN

BOOK UPLOAD

Author view of the book

USER VIEW OF THE BOOK

AUTHOR VIEW OF THE USER LIST:

ADMIN MODULE :
SYSTEM TECHNIQUES:

Technique: Cumulative Sum (CUSUM) algorithm.

We can put a small part of data in local machine and fog server in order to protect the
privacy. Moreover, based on Cumulative Sum, this algorithm can compute the distribution
proportion stored in cloud, fog, and local machine, respectively. Through the theoretical safety
analysis and experimental evaluation, the feasibility of our scheme has been validated, which is
really a powerful supplement to existing cloud storage scheme.

SYSTEM REQUIREMENTS:

HARDWARE REQUIREMENTS
PROCESSOR : DUAL CORE 2 DUOS
RAM : 2 GB DD RAM
MONITOR : 15” COLOR
HARD DISK : 250 GB

SOFTWARE REQUIREMENTS
Front End : J2EE (JSP, SERVLETS)
Back End : MY SQL 5.5
Operating System : Windows 8
IDE : Net Beans, Eclipse
USE CASE DIAGRAM:

Login

Author Book Upload

Author Use

Author View Book

User View or Download

Author Hack user details

EXPLANATION:

A use case diagram is a type of behavioral diagram created from a Use-case analysis. The
purpose of use case is to present overview of the functionality provided by the system in terms of
actors, their goals and any dependencies between those use cases. Author login form uploads the
file and views the file or hack the user details. User normal login form and view the book and
download
CLASS DIAGRAM:
0

Author
Authentication User
Register
Username
Password
Login()
File upload Login()
View the book User View the Book
or Download

Admin
Login()

Maintain Details

EXPLANATION:

A class diagram in the UML is a type of static structure diagram that describes the
structure of a system by showing the system’s classes, their attributes, and the relationships
between the classes.

Private visibility hides information from anything outside the class partition. Public
visibility allows all other classes to view the marked information.

Protected visibility allows child classes to access information they inherited from a parent
class.
OBJECT DIAGRAM:

EXPLANATION

An object diagram in the Unified Modeling Language (UML) is a diagram that shows a
complete or partial view of the structure of a modeled system at a specific time.

An Object diagram focuses on some particular set of object instances and attributes, and
the links between the instances. A correlated set of object diagrams provides insight into how an
arbitrary view of a system is expected to evolve over time.
STATE DIAGRAM:

EXPLANATION

A state diagram is a type of diagram used in computer science and related fields to
describe the behavior of systems. State diagrams require that the system described is composed
of a finite number of states; sometimes, this is indeed the case, while at other times this is a
reasonable abstraction. There are many forms of state diagrams, which differ slightly and have.
ACTIVITY DIAGRAM:

Login

Author User

View the
File Upload Book list

View the View and

File Download Book

User Details
Hack

EXPLANATION:
Activity diagram are a loosely defined diagram to show workflows of stepwise activities
and actions, with support for choice, iteration and concurrency. UML, activity diagrams can be
used to describe the business and operational step-by-step workflows of components in a system.
UML activity diagrams could potentially model the internal logic of a complex operation. In
many ways UML activity diagrams are the object-oriented equivalent of flow charts and data
flow diagrams (DFDs) from structural development.
SEQUENCE DIAGRAM

EXPLANATION:

A sequence diagram in UML is a kind of interaction diagram that shows how the
processes operate with one another and in what order.
It is a construct of a message sequence chart. Sequence diagrams are sometimes called
Event-trace diagrams, event scenarios, and timing diagrams.
The below diagram shows the sequence flow shows how the process occurs in this
project.
COLLABORATION DIAGRAM:

EXPLANATION:
A collaboration diagram show the objects and relationships involved in an interaction,
and the sequence of messages exchanged among the objects during the interaction.
The collaboration diagram can be a decomposition of a class, class diagram, or part of a
class diagram. It can be the decomposition of a use case, use case diagram, or part of a use case
diagram.
The collaboration diagram shows messages being sent between classes and object
(instances). A diagram is created for each system operation that relates to the current
development cycle (iteration).
DATA FLOW DIAGRAM:
Level-1: Level-2:

EXPLANATION:

A data flow diagram (DFD) is a graphical representation of the “flow” of data through an
information system. It differs from the flowchart as it shows the data flow instead of the control
flow of the program. A data flow diagram can also be used for the visualization of data
processing. The DFD is designed to show how a system is divided into smaller portions and to
highlight the flow of data between those parts.
E-R DIAGRAM:

EXPLANATION:

In software engineering, an entity-relationship model (ERM) is an abstract and

conceptual representation of data. Entity-relationship modeling is a database modeling method,
used to produce a type of conceptual schema or semantic data model of a system, often
a relational database, and its requirements in a top-down fashion. Diagrams created by this
process are called entity-relationship diagrams, ER diagrams, or ERDs.

An entity-relationship (ER) diagram is a specialized graphic that illustrates

the relationships between entities in a database. ER diagrams often use symbols to represent
three different types of information. Boxes are commonly used to represent entities. Diamonds
are normally used to represent relationships and ovals are used to represent attributes
COMPONENT DIAGRAM:

EXPLANATION:

Components are wired together by using an assembly connector to connect the

required interface of one component with the provided interface of another component. This
illustrates the service consumer - service provider relationship between the two components.
An assembly connector is a "connector between two components that defines that one
component provides the services that another component requires. An assembly connector is a
connector that is defined from a required interface or port to a provided interface or port."
 When using a component diagram to show the internal structure of a component, the
provided and required interfaces of the encompassing component can delegate to the
corresponding interfaces of the contained components.

System Architecture:
EXPLANATION:

The systems architect establishes the basic structure of the system, we propose a
Cumulative Sum (CUSUM) algorithm and we can put a small part of data in local machine and
fog server in order to protect the privacy. Moreover, based on computational intelligence, this
algorithm can compute the distribution proportion stored in cloud, fog, and local machine,
respectively. Through the theoretical safety analysis and experimental evaluation, the feasibility
of our scheme has been validated, which is really a powerful supplement to existing cloud
storage scheme.

ADVANTAGES

 Combined attacks can succeed with less resources

 It reduces the total migration time and service downtime.

FUTURE ENHANCEMENT:
Furthermore, any keyless customer can freely check the legitimacy of the returned
calculation result. Security examination shows that our arrangement is provable secure under the
CDH supposition in the unpredictable proposed model. Results show that our tradition is in
every practical sense gainful to the extent both communication and computation cost.

CONCLUSION:
 In this project we have seen that combined attacks can succeed
with less resources and lower detection probability when the adversarial
knowledge is limited, bringing more risk to reliable system operation. It also
should be noted that this paper assumes that the SE treats unavailable
measurements due to attacks as a case of missing data, although the
amount of missing data under attacks is larger than the one under normal
conditions. In the discussion we also showed the potentiality of designing a
detector for availability attacks. Besides, availability attacks like DoS attacks
could trigger alerts on ICT-specific measures (e.g., Intrusion Detection
System). These two features give the opportunities to develop better cross-
domain detection schemes for availability portion of the attacks improving
the overall combined attacks detection. Other research directions to explore
in the future include evaluating physical impact of combined attacks and
exploring the vulnerability of AC state estimation to combined attacks.

REFERENCE:

[1] A. Giani, S. Sastry, K. H. Johansson, and H. Sandberg, “The viking project:an initiative on
resilient control of power networks,” in 2nd International Symposium on Resilient Control
Systems, 2009, pp. 31–35.

[2] Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacks against state estimation in
electric power grids,” in Proc. of the 16th ACM Conf. on Computer and Comm. Security, New
York, 2009, pp. 21–32.

[3] W. Wang and Z. Lu, “Cyber security in the smart grid: Survey and challenges,” Computer
Networks, vol. 57, no. 5, pp. 1344–1371, 2013.

[4] D. Deka, R. Baldick, and S. Vishwanath, “Optimal data attacks on power grids: Leveraging
detection measurement jamming,” in Proc. of IEEE Int. Conf. Smart Grid Communications
(SmartGridComm), Miami Florida , USA, Nov. 2015, pp. 392–397.

[5] R. S. Ross, “Nist sp - 800 - 30 rev 1: Guide for conducting risk assessments,” NIST,
techreport, Sep. 2012.
[6] G. Hug and J. A. Giampapa, “Vulnerability assessment of AC state estimation with respect to
false data injection cyber-attacks,” IEEE Transactions on Smart Grid, vol. 3, no. 3, pp. 1362–
1370, Sep. 2012.

[7] H. Sandberg, A. Teixeira, and K. H. Johansson, “On security indices for state estimators in
power networks,” in First Workshop on Secure Control Systems (SCS), Stockholm, 2010.

[8] A. Teixeira, K. C. Sou, H. Sandberg, and K. H. Johansson, “Secure control systems: A

quantitative risk management approach,” IEEE Control Systems, vol. 35, no. 1, pp. 24–45, 2015.

[9] A. Teixeira, G. D´an, H. Sandberg, and K. H. Johansson, “A cyber security study of a

SCADA energy management system: Stealthy deception attacks on the state estimator,”
Proceedings of IFAC World Congress, Aug 2011.

[10] O. Kosut, L. Jia, R. J. Thomas, and L. Tong, “Malicious data attacks on the smart grid,”
IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 645–658, 2011. [11] L. Xie, Y. Mo, and B.
Sinopoli, “Integrity data attacks in power market operations,” IEEE Transactions on Smart Grid,
vol. 2, no. 4, pp. 659– 666, 2011.

[12] L. Jia, J. Kim, R. J. Thomas, and L. Tong, “Impact of data quality on real-time locational
marginal price,” IEEE Transactions on Power Systems, vol. 29, no. 2, pp. 627–636, Mar. 2014.

[13] J. Liang, L. Sankar, and O. Kosut, “Vulnerability analysis and consequences of false data
injection attack on power system state estimation,” IEEE Trans. on Power Systems, vol. 31, no.
5, pp. 3864–3872, Sep. 2016.

[14] S. Li, Y. Yılmaz, and X. Wang, “Quickest detection of false data injection attack in wide-
area smart grids,” IEEE Transactions on Smart Grid, vol. 6, no. 6, pp. 2725–2735, 2015.

[15] A. Ashok, M. Govindarasu, and V. Ajjarapu, “Online detection of stealthy false data
injection attacks in power system state estimation,” IEEE Transactions on Smart Grid, vol. PP,
no. 99, p. 1, 2016.
[16] O. Vukovic, K. C. Sou, G. Dan, and H. Sandberg, “Network-aware mitigation of data
integrity attacks on power system state estimation,” IEEE Journal on Selected Areas in
Communications, vol. 30, no. 6, pp. 1108–1118, 2012.

Database:
https://www.greycampus.com/opencampus/ethical-hacking/web-server-and-its-types-of-attacks

https://betanews.com/2019/06/04/phishing-attacks-sophistication/

https://bdtechtalks.com/2016/02/29/why-are-web-applications-attractive-targets-for-hackers/