Congratulations on your graduation. It's an exciting time to be an information security professional, since there's no lack of new attacks and systems/applications to protect. I also applaud your interest in Web applications. More than 75% of attacks are now targeting applications as opposed to networks or servers directly. Application security specialists have told me it would take them roughly 100 years to fully test all the applications they already have running. There will be great demand for professionals who understand how to attack and protect Web applications.
You've got a choice in what you attempt for your senior project by taking either an offensive stance or a defensive stance. Let me elaborate.
From an offensive standpoint, you can try to discover new attack vectors or prove that an existing attack vector works for a new application type. For example, try to find XSS (cross-site scripting) vulnerabilities on applications running on your campus. Or attempt a SQL injection attack on the registration system. Of course, work with the faculty and the IT team at your school to make sure you don't surprise the powers that be and end up in jail. But if you are going to test something, it may as well benefit the school.
Taking a defensive stance, you could work with the IT team to implement a source code analysis project on any of the applications currently running. Many of the vendors in the space will provide an educational license to use their commercial-grade tools in an academic environment. Again, this is pretty much a "free" way for your university to see how secure the applications are and what issues should be addressed in the near term.
Given the number of data breaches that happen in the education market, I think these would be great projects to undertake.
If you aren't comfortable playing with live ammunition, another possibility could be setting up a test bed by deploying a Web application and securely configuring the devices, implementing Web application firewalls and the like to protect the application. Then try to hack in using tools like the open source Metasploit or commercial ones such as Core Security Technologies' Core Impact. You could even run a "capture the flag" competition to test whether classmates can break into the test bed.
For more information:
This was first published in December 2007