"What should we order tonight? Who wants some fried chicken for dinner?” We take for granted that we can open our phones and look up any and all information available to us. Finding takeout restaurants for example. However, what if one day all that information disappeared and was hard to find? This question is important to consider because all information that we type into search bars is protected by our browsers and the websites we visit. The browsers that we use act as a ship to navigate the often dangerous, treacherous and unknown waters of the world wide web. During my time as a Scarlet Data Studio Intern, I had the opportunity to perform two security audits on the Transit Health website:
Left: Finding a Popeyes Chicken restaurant with a sidewalk permit. Right shows the Transit Health website’s console working alongside with Cloud9’s api, or Application programming interface.
Let me explain what TransitHealth is as a website along with my purpose
The TransitHealth website allows visitors to compare metrics about transit and health between community areas in Chicago over time. All of our data comes from an official Chicago website and we later used that data in our site. In order to show metrics on our website, we have to process the data using our offline pipeline and then compute the metrics in our backend API. The Website Framework that we use is Next.js. This is an open source development tool that works on top of Node.js. My role in this internship is handling the cybersecurity portion of the website as well as trying to find a way to strengthen the website protocol. Testing security headers along with running DOM and SQL injection attacks to simulate what a real life hacker would do were my main objectives.
The DOM/SQL injection audit
The main purpose of the DOM/SQL injection is to test the strength of our code/website by finding vulnerabilities within our code. Once we are able to identify the vulnerability, we can inject our own script and cause the website to stop functioning properly. There are two injection attack types that are common among attackers:
DOM injection attack: DOM stands for Document Object Model. By injecting HTML tags that are not meant to be there in our website, we can manipulate the webpage in many malicious ways. For example,
This screenshot shows an error message that was caused by my request. Notice the apostrophe in Popeyes. There is a reason for this.
The right terminal is the api and this is the error caused by my request. This is a case of whitebox testing. This’ll be helpful. If we were able to send this to the client, they might be able to see what’s going on.
SQL injection attack: Pronounced either “Sequel” or simply “S-Q-L”, this type of injection attack is a common attack that uses malicious SQL code for backend database manipulation to access information that was not meant to be displayed. Injections occur when the application does not protect against harmful SQL queries. When this happens, an attacker can use their own malicious SQL queries to trick the database into providing sensitive information.
The security header audits and their importance in website security
With the help of a website called “SecurityHeaders.com”, we were able to find out how secure our website was in terms of security headers. As a result, the TransitHealth website scored a D. I have found something interesting when discovering the reason for the low letter grade. A header/authentication header is a fundamental part of website security that protects against attacks that a site may come across. The website was missing four headers and these were the following headers according to securityheaders.com:
Content-Security-Policy: Helps protect the website against Cross Site Scripting (XSS) attacks. It does this by whitelisting sources of approved content and prevents the browser from loading malicious assets.
X-Frame-Options: Tells the browser whether you want to allow your site to be framed (point to point connection between two computers or devices) or not. Useful against clickjacking attacks.
X-Content-Type-Options: Server can opt out of MIME (Multipurpose Internet Mail Extensions) sniffing or content sniffing. Content sniffing is the practice of inspecting the content of a byte stream to attempt to deduce the file format of the data within it.
Referrer Policy: A new header that allows how much information the browser includes with navigations away from a document and should be set by all sites.
Where my interest in Cybersecurity began
My interest in the field of all things cyber had evolved over the course of nine years. It all started when I was a sophomore in high school and my teacher had given my computer class an assignment to do on PowerPoint. There were various topics to present to the class but the most interesting to my classmate and I was computer crimes/hackers. As we did our research, I found the topic of computer crimes to be very fascinating and scary. When it was time to present, I remember I had the biggest smile on my face the entire time. Six years later at university, I had the option to choose electives that I found interesting: Introduction to Cybersecurity I and II. I also consumed media that contained hackers and cybercrimes that same year. As a current graduate student, I decided to major in Cybersecurity.
Ending with any lessons I learned from the internship or advice for other students just starting out
There are various lessons that I have learned throughout the past three weeks and I’d like to share with you what I’ve learned.
Don’t be afraid to ask questions. The best way to get an answer is to ask questions. At the beginning of this internship, I had very little understanding of the software engineering portion. Knowing my strengths and what I learned as a graduate student, my focus was directed towards the cybersecurity portion of the website.
SecurityHeaders.com is an excellent website for checking any fraudulent websites and I highly recommend a visit. A website that was used for this internship for the purpose of finding the weaknesses on Transit Health and how to fix them. This website can be used by anyone.
Don’t bite off more than you can chew. Don’t take on more responsibilities than you can handle. Keep yourself busy but not to the point where you can’t handle multiple tasks at once such as working many hours and trying to do so much for the internship or school.
Communicate with your mentor(s) about any jobs and responsibilities that might interfere with your internship. Do the same with your boss or manager. My job had interfered with my internship so I communicated often with my mentors and I was able to do the work I needed without feeling too overwhelmed.
If you are required to use a new software or technology that you are unfamiliar with, ask your mentor(s) if there is an alternative you can use. If not, try your best to understand how to use the software. I had only used Jupyter briefly during my internship so as a result, I used Google Docs to create my blog report.
Internships are an opportunity to network and build good connections with students and other alumni. Go the extra mile to reach out and form relationships with people from other departments and students who may study something different than you. You never know who your next connection will be. Maybe the people in your internship know a professional who once studied the same things as you. This could eventually lead to your first ever job!
Top comments (0)