This thesis presents the development of a deliberately vulnerable hospital management system intended to facilitate hands-on learning in cybersecurity. The platform, built using Python Flask, SQLite, and Bootstrap, simulates realistic hospital workflows and includes multiple user roles such as doctors, lab technicians, administrators, and patients. Several common web application vulnerabilities from the OWASP Top 10 were intentionally implemented, including SQL Injection (SQLi), Cross-Site Scripting (XSS), Server-Side Template Injection (SSTI), XML External Entity (XXE) attacks, Broken Access Control, Broken Authentication, and Security Misconfiguration. Each vulnerability is embedded within role-specific features to mimic realistic security flaws in real-world applications. The system can operate in both vulnerable and secure modes, enabling users to compare behavior and security outcomes. Manual testing was conducted using standard penetration testing techniques and network analysis tools such as tcpdump and Wireshark. Although the platform has not yet been tested in classroom settings, it is designed to serve as a practical resource for students and instructors exploring web vulnerabilities in a safe and controlled environment.

This thesis presents the development of a deliberately vulnerable hospital management system intended to facilitate hands-on learning in cybersecurity. The platform, built using Python Flask, SQLite, and Bootstrap, simulates realistic hospital workflows and includes multiple user roles such as doctors, lab technicians, administrators, and patients. Several common web application vulnerabilities from the OWASP Top 10 were intentionally implemented, including SQL Injection (SQLi), Cross-Site Scripting (XSS), Server-Side Template Injection (SSTI), XML External Entity (XXE) attacks, Broken Access Control, Broken Authentication, and Security Misconfiguration. Each vulnerability is embedded within role-specific features to mimic realistic security flaws in real-world applications. The system can operate in both vulnerable and secure modes, enabling users to compare behavior and security outcomes. Manual testing was conducted using standard penetration testing techniques and network analysis tools such as tcpdump and Wireshark. Although the platform has not yet been tested in classroom settings, it is designed to serve as a practical resource for students and instructors exploring web vulnerabilities in a safe and controlled environment.

Hiding Vulnerabilities in a Sandbox Website for Cybersecurity Testing of Students

HESARIAN, MARYAM
2024/2025

Abstract

This thesis presents the development of a deliberately vulnerable hospital management system intended to facilitate hands-on learning in cybersecurity. The platform, built using Python Flask, SQLite, and Bootstrap, simulates realistic hospital workflows and includes multiple user roles such as doctors, lab technicians, administrators, and patients. Several common web application vulnerabilities from the OWASP Top 10 were intentionally implemented, including SQL Injection (SQLi), Cross-Site Scripting (XSS), Server-Side Template Injection (SSTI), XML External Entity (XXE) attacks, Broken Access Control, Broken Authentication, and Security Misconfiguration. Each vulnerability is embedded within role-specific features to mimic realistic security flaws in real-world applications. The system can operate in both vulnerable and secure modes, enabling users to compare behavior and security outcomes. Manual testing was conducted using standard penetration testing techniques and network analysis tools such as tcpdump and Wireshark. Although the platform has not yet been tested in classroom settings, it is designed to serve as a practical resource for students and instructors exploring web vulnerabilities in a safe and controlled environment.
2024
Hiding Vulnerabilities in a Sandbox Website for Cybersecurity Testing of Students
This thesis presents the development of a deliberately vulnerable hospital management system intended to facilitate hands-on learning in cybersecurity. The platform, built using Python Flask, SQLite, and Bootstrap, simulates realistic hospital workflows and includes multiple user roles such as doctors, lab technicians, administrators, and patients. Several common web application vulnerabilities from the OWASP Top 10 were intentionally implemented, including SQL Injection (SQLi), Cross-Site Scripting (XSS), Server-Side Template Injection (SSTI), XML External Entity (XXE) attacks, Broken Access Control, Broken Authentication, and Security Misconfiguration. Each vulnerability is embedded within role-specific features to mimic realistic security flaws in real-world applications. The system can operate in both vulnerable and secure modes, enabling users to compare behavior and security outcomes. Manual testing was conducted using standard penetration testing techniques and network analysis tools such as tcpdump and Wireshark. Although the platform has not yet been tested in classroom settings, it is designed to serve as a practical resource for students and instructors exploring web vulnerabilities in a safe and controlled environment.
cybersecurity
vulnerable web
ethical hacking
OWASP
student evaluation
BADIA, LEONARDO
Lauree magistrali
File in questo prodotto:
File Dimensione Formato  
Hesarian_Maryam.pdf

accesso aperto

Dimensione 1.7 MB
Formato Adobe PDF
Visualizza/Apri
1.7 MB Adobe PDF Visualizza/Apri

The text of this website © Università degli studi di Padova. Full Text are published under a non-exclusive license. Metadata are under a CC0 License

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.12608/94430