Researching on Webshell and building a Webshell in the web application attack experiment - a student group: Su Chan Hoai Bao, Ngo Dinh Nhat Huy, Do Viet Anh (Information Assurance major - FPT University) has excellently scored 9 of the Council of examiners - the highest score for project defense in Summer 2020 semester.

FPT University had a talk with members of the group to learn the tips to conquer the Council of examiners in the group's project defense semester.

 

Nice to meet you, congratulations on your team’s excellent completion of the graduation project defense. Where did this topic come from? The reason why your group chose to do this topic as a graduation project?

This topic came from the security problems businesses facing nowadays. Based on those situations, the lecturers gave a topic to help us students to approach and understand clearly the needs of the business in staff recruiting Our team realized that this was a good topic which could help our group to experience the actual business situation, in accordance with the goal we are pursuing.

It is known that WebShell is a form of malicious code, backdoor possessing many functions, helping to support the intrusion and hijacking system administration of hackers' websites. What is special about your team's Webshell research topic?

Recently, most hackers are employing a strategy of sharing ways to exploit and attack with each other, which poses a huge threat to businesses that are unilaterally fighting compromise. Grasping this crucial point, our team researched and built our own webshell based on previous webshells that hackers often use. Besides, our team also developed new features in accordance with the current network security problems encountered.

What tools / methods does your group use when doing research on this topic? What documents do you use for reference?

When researching this topic, my team used a lot of open source tools as well as many methods our team researched and built up. Example: To scan the directories and files of a website, we used the dirsearch tool. To conduct cloning directories on websites, we use the dumpall tool. Such outstanding features such as sudo rights, we used the Juicy potato tool for support. Next, based on the documents that revealed the vulnerabilities from the top 10 owasp, our team’s CVE exploited the rest of the vulnerabilities in the system. Besides, based on the experience we had on pentest during the internship in the 6th semester, our team has carefully archived many references to reuse in the project making process.

What was your team's goal in doing this topic? After completing it, did you see that the project has been as expected in the beginning?

The ultimate and also the most important goal when implementing this topic is that our team wanted to protect users and businesses from existing vulnerabilities which are usually easily attacked and compromised by hackers. The initial expectation was to try to complete the use cases that our lecturers required in the topic. However during the implementation process, our team found out that we needed to add new features and scenarios outside the project scope to make it  better, more detailed, and clearer. However, I have always wanted to have more time to improve it.

How long did you work on the project? During the process of implementing the topic, did your group have any difficulties? How did you deal with it?

Making efficient use of time was an important factor determining the success of the project. From the first semester, we have been instructed by lecturers to manage the time doing a project throughout the whole learning process at FPT University.. This project defense semester took us three months to get it done. In the process of implementing the topic, our group encountered many difficulties in finding sources of documents to research, applying new technologies, disagreements caused by each member's individual opinion, implementing time pressure because everything was just ideas, not yet to come in reality. However, while working together, our team realized that everyone needs to agree, listen to the other members’ opinions, teamwork spirit, and try to complete the assigned works effectively. All following problems are also thoroughly resolved.

After finishing the project defense, what were your feelings? What comments from the Council of examiners did you remember the most? Why?

Happiness was the first feeling of our group, we felt like we wanted to embrace each other even though us three are male. Then there was a bit of regret because I knew that I was going to be away from the lecturers and friends I have been working with for 4 years. I especially remember the comments from Mr. Nguyen Trong Tai, who gave a lot of valuable advice and comments to help me better understand security issues that my team has not yet applied. Maybe after having a job, I will try to develop and implement his suggestions.

 

Going through the project defense semester, at the same time ending 4 years of University, how do you feel? Was this a rewarding semester?

The past 4 years were a long period of time that our group has been trying very hard to improve our knowledge. After going through the project defense semester, ending the university time, our group feels very confident in our knowledge as well as experience to step up to work in the future. This was really a very rewarding semester, it has gathered all the knowledge from the first major semesters, to the new technologies that my group had to research and apply.

Are you currently working at any company / enterprise? If yes, how long was it and what’s your current job position?

 
Currently, each member of our group is working for a different company. However, we have all started to have a job since the internship in the 6th semester. My name is Hoai Bao and I am currently working as an Information Security Consultant at Vcyber. Nhat Huy is working as a Pentester - Viettel and Viet Anh is currently a Developer at Passio.

Thank you for this wonderful conversation, I wish you 3 will be successful.

HANA
Translated by TRONG HIEU