IT350 - Web and
We talked about security this semester, and you just finished your project. For this lab, we will practice web security offense and defense, on your and your classmates’ projects.
You must create a folder on your Web drive called "Lab09" (without the quotes) and store your work in that directory.
Copy your team project in your Lab09 directory – so you have a saved copy of the project as it was turned in.
Part 1 – in Teams (same as the project teams): Offense
For this part, you and your teammates will attack the projects created by the other teams in your section (Teams 1-5 in section 4001, teams 6-9 in section 5001). Each team starts with attacking the project created by the “next” team in your section (team 1 attacks team 2, team 2 – team 3, …, team 5 should attack team 1, and team 9 attacks team 6). The attacks can attempt to create unexpected behavior for the application (for example through HTML injections or Java Script injections), get access to protected pages, gather passwords, etc.
All attacks, successful or not, must be documented in such a way that the instructor can reproduce. Download IT350_projectSecurityEval.docx from here (right-click and "Save link as...") and store it in your Lab09 directory. Record all attacks and their results in this document.
Part 2 – to be done individually: Defense
A. You should have a copy of your project in your Lab09 directory. If not, copy the files from your team drive to your Lab09 directory.
B. To ensure that permissions are set correctly on your Lab09 directory, do the following: ssh into mich316csdYYu.academy.usna.edu. (you can use 01 to 20 for YY) You can use putty or some other tool. Use your normal credentials. Type the following (replace XXXXXX with your alpha) in the window that appears:
setfacl –R -m u:www-data:rwx Lab09
setfacl –R -dm u:www-data:rwx Lab09
setfacl –R -m u:mXXXXXX:rwx Lab09
setfacl –R -dm u:mXXXXXX:rwx Lab09
C. Make all the modifications needed so your project works correctly in your Lab09 directory. Note that if you used relative links in your project, this should be an easy task. Notepad++’s “Find in files” option should be helpful (search for it350-teamX for example)
D. Implement defensive measures to prevent the attacks that your colleagues might come up with for your website. At the minimum, you must
a. Prevent directory listing (have index.html in each directory)
b. Protect sensitive files (change .txt extension to .txt.pl)
c. Do not store passwords in plain text (use crypt or other hashing function)
d. Duplicate all JS checks in Perl
e. Limit input size (in Perl) (use substr in Perl)
g. Make sure all scripts/pages that are in the "member" or "admin" areas check the cookies and do not display unless the correct cookies are set