Web Security On Banking And Account Information Payroll System Using Virtual Machine

Setting Up

Web security is very essential factor, for every individual or an organization. Especially, for the banks. Because, the lack of web security allows various vulnerabilities and threats for the respective system from the attackers, which could be dangerous. For instance, leakage of sensitive data. Thus, it is essential to secure the computer, internet connection and web browser. The encryption method can be used to safeguard the sensitive information. The accounting information system can be used for the collecting of data processing and they are stored in the data that are used by the decision makers. An accounting information system is generally used for computer based method for the hacking account activity of the information technology.

The main objective of this project is to develop the web security on banking and account information payroll system using virtual machine. The login to the virtual machine to enter the root name and password information. The software can install it and put and enter the command on startx, after loading on the payroll webpage and can processing of the each steps. They can use for the three targets likewise, XSRF, XSS Username and password Theft, SQL injection, which will be investigated.

The cross-site request forgery (XSRF or CSRF) refers to a method used to attack the website, where the intruder impersonates as one of the legitimate and a trusted user. The XSRF used for the malicious exploit of a website unauthorized commands are transmitted from a user they can access of the web application they can specified the target state changing request and to identify vulnerability. The Georgia tech payroll system the user can enter the user name and password to login on the site, if the user can already login on the system of Georgia payroll web pages the Alice once visit the webpage and find the redirection of Georgia payroll system with the account number and routing number is displayed on the Username of the system.  

Open the website URL on https://payroll.gtech.edu is only visiting on the Web Pages using oracle virtual machine. The payroll accounting information they can fetch the all information of the website

The XSRF attack is occurs on the malicious website on payroll information systems that are includes email id, account id or program causes. The user can access to the website can be performed on the unwanted action on a trusted site of which user can login to the currently authenticated.

The XSRF is attacked to the web site using logged on the victims browser to sending the forged  html request , that are including  the accounting session and any automatically includes and provides the authentication  information to the user, it can access to a vulnerable  web application.

The user can login to the website of the link will be sending to attackers to the accounting session when the user can  enter the username and Account ID once login to the site and user can  click  on the URL link and once logging to the original website,  the data will be stolen from  the web site.

Interacting with the VM

The user can use the vulnerability as the attackers once can changing to the user profile information., and changing the account status, the attackers can creating the a new user or admin behalf, etc.

There are using the vulnerable objects like,

• User profile pages
• User accounting pages
• Transaction page

The user can log into the accounting website using the valid credentials. Once user can login on the site and sending the verification authenticate mail form the attackers can saying the user “Please click the valid login”

 https://payroll.gatech.edu/account.php”

When the account can be click on it, a valid request will be creating on the URL link on the particular account details.

The security misconfiguration that can used for the hacking on the website can  used the unauthorized  person.

Vulnerability objects are,

• URL
• Form fields,
• Input fields,
• Example,

The application server admin console is automatically installed and not removed. Default account is not changed.  The user can login to the accounting page and the attackers can log in with and set the default password and can use the unauthorized access.

In our case we have using the PHP session it can be kept active by making the request site using the session value in the request, and without the web application of the logout session. The wit outing session value request let us assume assigning the new values of the request URL. Depending on the web application it can used for many it will discussing on the two requests as two different users without the login Id. This means if you were to use payroll banking information and the accounting form the same device (even sharing the same IP and user login Id) the web application could believe its two different users. Also depending on the web site application, you may be able to switch between the user can generate the Account number and routing number as long as they are both still active on correct or wrong on the web service.

Source code is attached here.

The order to run malicious JavaScript code in a victim’s browser, an attacker must first find a way to inject a payload into a web page that the victim visits. … In order for an XSS attack to take place the vulnerable website needs to directly include user input in its pages.

The vulnerability objects are, 

• Login page,
• Mailing page,
• URL link page.

Sending mail to request on local host php page,

We can use for the URL link https://hackmail.org/sendmail.php on the website .The user can send the mail to the local user account and send to the request on the local host web security on the same page.

Source code is attached here.

The php vulnerability, which can used of the mail hacking request on the local host

1. Identify objective of key security,
2. Create an overview of the application by itemising the important characteristics of that application.
3. Application to identify the features and modules that have a security impact, and that need to be evaluated.
4. Identify the all threats.
5. User can send the request on the all-mail it will be hacking.

User can browser and send the request on mail to the input of the server, and it will stored the all data processing in php vulnerability. In order to run malicious SQL queries against a database server, an attacker must first find an input within the web application that is included inside of an SQL query. In order for an SQL Injection attack to take place, the vulnerable website needs to directly include user input within an SQL statement.

The vulnerable objects includes,

• Application database,
• Login page,
• URL link page
• Data storage page.

Hacking on the email commands targets, 

Source code is attached here.

Conclusion

From this report, the importance of web security is understood, especially, for the banks. As, the lack of web security allows various vulnerabilities and threats for the respective system from the attackers, which could be dangerous. For instance, leakage of sensitive data. Thus, it is essential to secure the computer, internet connection and web browser.It is observed that encryption helps to secure sensitive data. The research of this project is to develop the web security on banking and account information payroll system using virtual machine, which is completed successfully. The Oracle virtual machine installation is completed in this report, which uses the three targets like, XSRF, XSS Username and password Theft and the SQL injection that are completed.

References

Covaleski, John, Hacking (Reference Point Press, 2013)

McClure, Stuart, Joel Scambray and George Kurtz, Hacking Exposed (McGraw-Hill/Osborne, 2012)