IT350 - Web and Internet Programming

Lab 09 – Web Applications Security

Introduction

We talked about security this semester, and you just finished your project. For this lab, we will practice web security offense and defense, on your and your classmates’ projects.

Lab Requirements

You must create a folder on your Web drive called "Lab09" (without the quotes) and store your work in that directory. 

Copy your team project in your Lab09 directory – so you have a saved copy of the project as it was turned in.

 

 

Part 1 – in Teams (same as the project teams): Offense

           

            For this part, you and your teammates will attack the projects created by the other teams in your section (Teams 1-5 in section 4001, teams 6-9 in section 5001). Each team starts with attacking the project created by the “next” team in your section (team 1 attacks team 2, team 2 – team 3, …, team 5 should attack team 1, and team 9 attacks team 6). The attacks can attempt to create unexpected behavior for the application (for example through HTML injections or Java Script injections), get access to protected pages, gather passwords, etc.

            All attacks, successful or not, must be documented in such a way that the instructor can reproduce. Download IT350_projectSecurityEval.docx from here (right-click and "Save link as...") and store it in your Lab09 directory. Record all attacks and their results in this document.

 

Part 2 – to be done individually: Defense

A.    You should have a copy of your project in your Lab09 directory. If not, copy the files from your team drive to your Lab09 directory.

B.     To ensure that permissions are set correctly on your Lab09 directory, do the following: ssh into mich316csdYYu.academy.usna.edu. (you can use 01 to 20 for YY)  You can use putty or some other tool.  Use your normal credentials. Type the following (replace XXXXXX with your alpha) in the window that appears:

cd public_html

setfacl –R -m u:www-data:rwx Lab09

setfacl –R -dm u:www-data:rwx Lab09

setfacl –R -m u:mXXXXXX:rwx Lab09          

setfacl –R -dm u:mXXXXXX:rwx Lab09

 

C.     Make all the modifications needed so your project works correctly in your Lab09 directory. Note that if you used relative links in your project, this should be an easy task. Notepad++’s “Find in files” option should be helpful (search for it350-teamX for example)

D.    Implement defensive measures to prevent the attacks that your colleagues might come up with for your website. At the minimum, you must

a.       Prevent directory listing (have index.html in each directory)

b.      Protect sensitive files (change .txt extension to .txt.pl)

c.       Do not store passwords in plain text (use crypt or other hashing function)

d.      Duplicate all JS checks in Perl

e.       Limit input size (in Perl) (use substr in Perl)

f.       Prevent HTML and JavaScript injections by escaping < and >

g.      Make sure all scripts/pages that are in the "member" or "admin" areas check the cookies and do not display unless the correct cookies are set

 

Deliverables

  1. All of your files should be in a folder called "Lab09" (without the quotes) on the Web drive. Your instructor will assume that your web pages are viewable at http://zee.academy.usna.edu/~mXXXXXX/Lab09/index.html or index.shtml or index.pl where XXXXXX is your alpha number.
  2. IT350_projectSecurityEval.docx in your Lab09 should contain all the attacks that your team tried.
  3. Your project in Lab09 should have the security measures we discussed implemented, so the attacks discovered by other teams will not work anymore.
  4. In default.htm, add:
    1.  a link to your Lab09/index.html (or whatever the main page of your project is)
    2. A link to completed Lab09/IT350_projectSecurityEval.docx
  5. Turn in the following hardcopy at the beginning of class on the due date, stapled together in the following order (coversheet on top):
    1. A completed assignment coversheet.  Your comments will help us improve the course.