Popis: |
Web applications have made communication and services for users extremely simple because of the user-friendly interface, global accessibility, and ease of management. However, careless web application design and implementation are crucial to a security compromise that is incredibly troubling both to the user and web administrators. The weakness in Local File Inclusion (LFI) currently exists in many web applications that result in remote code execution in a host server. Hence, detecting the vulnerability of LFI is becoming extremely important to the web owner in taking effective risk mitigation action. Meanwhile, the current vulnerability scanner that is available nowadays focuses more on SQL injection and cross site scripting but fewer over Local File Inclusion vulnerability. Other than that, users cannot observe what sort of sensitive file or data could be obtained by an attacker and maintain the anonymity of the user because current Vulnerability scanner on the market does not integrate with TOR network out-of-the-box. This project proposed an automated system for the identification of LFI vulnerabilities with obscure for web applications. Therefore, the objective of this project is to develop a system that can detect LFI vulnerabilities within the web application and while still able to maintain user anonymity across the network by covering the source IP address of the scanner using the Tor network and simulates how a real-world hacker attacks web application using LFI vulnerability. Furthermore, there are six phases involved in the methodology to complete this project: information gathering, requirement analysis, system design, development, testing, and documentation. Lastly for documentation, is to make a report about Local File Inclusion Vulnerability Scanner with Tor Onion Router Proxy. From the result testing, it indicates that the project can identify any local file inclusion vulnerabilities that exist over the web application while also having the advantage to observe the point of view of an attacker capable of hiding the scanner source of IP address. |