Checkout My Penetration Testing Portfolio
★
Project Tunestore
In this penetration testing project, I performed a comprehensive security evaluation of the Tunestore website to uncover critical vulnerabilities. I identified and exploited weaknesses such as SQL Injection, allowing unauthorized login and access to sensitive data, and Cross-Site Scripting (XSS), which enabled malicious script injection leading to phishing attacks and clickjacking. Additionally, I discovered Cross-Site Request Forgery (CSRF) and Access Control issues that could let attackers bypass authentication and escalate privileges. The project concluded with recommendations to mitigate these vulnerabilities and strengthen the site’s overall security posture.
★
Denial Of Service Analysis
For my Enterprise and Infrastructure Protection course, I conducted a detailed analysis of Denial of Service (DoS) attacks across three network layers: volumetric, protocol, and application. The project involved simulating attacks like UDP flood, Ping of Death, and an SMTP spam bot. I assessed the impact on the target systems by analyzing network traffic, server performance, and resource exhaustion. I also implemented countermeasures, such as firewalls, to mitigate the damage from these attacks. The final report provided recommendations for enhancing network resilience and legal implications of these attacks.
★
Denail of Service Attacks
For my Network Security class, I implemented and analyzed two common Denial of Service (DoS) attacks: TCP SYN Flood and HTTP Flood. I simulated both attacks using Python scripts and monitored the traffic with Wireshark. The TCP SYN Flood attack overloaded the server by sending numerous SYN requests, exploiting the TCP three-way handshake, while the HTTP Flood attack bombarded the server with GET requests, affecting both the server and the host machine’s performance. The project provided insights into how these attacks function and how they can impact server resources and availability.
★
Program Analysis
In this Program Analysis project, I performed both static and dynamic analysis on two applications to identify vulnerabilities. For static analysis, I used Semgrep to detect specific vulnerabilities such as log poisoning and URL redirection in Java code, applying rules to check for dangerous input methods and suggest appropriate fixes. For dynamic analysis, I used ZAP to identify Cross-Site Scripting (XSS), SQL Injection, CSRF, and other security issues in the Tunestore web application. I verified and categorized the results as true or false positives.
★
Prevention of Injection Attacks
For this project, I conducted a detailed vulnerability assessment on a website to identify and mitigate various injection attacks. I tested for and provided fixes to several types of vulnerabilities, including SQL Injection, Path Manipulation, Command Injection, Log Forging, Xpath Injection, SMTP Injection, and Cross-Site Scripting (XSS). To address these issues, I implemented a custom SecurityEnhancedApi class to filter inputs and prevent exploitation. The project involved analyzing vulnerable code, demonstrating each attack, and implementing secure programming techniques to mitigate risks.
★
Access Control Report
In this Access Control project, I performed an analysis of the penetration_test web application to identify and patch several vulnerabilities, including Server-Side Request Forgery (SSRF), Information Disclosure, and Access Control flaws. I used tools like ZAP to detect and exploit these vulnerabilities, demonstrating how attackers could gain unauthorized access or disclose sensitive information. After identifying the issues, I implemented fixes by sanitizing inputs, using hash maps to limit displayed data, and adding role-based access control (RBAC) using Shiro to restrict user permissions.