SY306 – Web and Databases for Cyber Operations

Project 2 – Web Applications Security

Introduction

For this project, you will practice web security offense and defense, on your and your classmates’ projects.

Requirements

This project will do done in teams, the same teams as for project 1.

 

Set-up:

1.      Create a zip file containing everything on your /web/html/sy306-teamX folder

2.      If you did not submit your zip file on Blackboard for Project 1 (one submission per team required),  do that now

3.      Create a folder on your team web drive (/web/html/sy306-teamX) called "secure" (without the quotes) and store your work in that directory. 

4.      Copy – do not move - your team project files in your “secure” directory on the team drive – make sure you do not move the files, so the original files can still be used.

5.      Save the current state of your database, so you can later restore it if needed:

From the command line:

                                                              i.      ssh into mope.academy.usna.edu

                                                            ii.      on the shell on mope, execute the following commands:

 

cd /web/html/sy306-teamX/secure

 

mysqldump -u mYYYYYY -p -h mope sy306teamX  > initialProjectDB_teamX.sql

 

                                                          iii.      Check that the file initialProjectDB_teamX.sql was created in your “secure” folder

 

Part 1: Offense

           

            For this part, you and your teammates will attack the project of the “next” team (team 1 attacks team 2, team2 attacks team 3, …, team6 attacks team 1) and a sample project provided by your instructor and available at http://mope.academy.usna.edu/~adina/sy306/toAttack/proj1-teamX/index.py .

            All attacks, successful or not, must be documented in such a way that the instructor can reproduce. Download sy306_projectSecurityEval.docx from here (right-click and "Save link as...") and store it in your “secure” project directory. Record all attacks and their results in this document. Include screenshots if needed.

You should try the attacks we discussed in class (HTML/CSS injections, JavaScript injection – XSS attacks, CSRF, SQL Injection), and anything else that you can think of. The attacks can attempt to create unexpected behavior for the application – provoke error messages that reveal source code, change the display, get access to protected pages without providing a valid password, gather usernames and passwords, try cross site request forgery attacks to post messages as another user, steal cookies, etc. You must document all your work in the sy306_projectSecurityEval_teamX.docx file that you will turn in for grading.

 

Part 2: Defense

A.    Make sure all your files for the project are copied to your “secure” sub-folder. All the modification for this project will be done in this folder. Do NOT modify the files outside the “secure” folder.

B.     Make all the modifications needed so your project works correctly/as before from your “sy306-teamX/secure” directory. Note that if you used relative links in your project, this should be an easy task. Notepad++’s “Find in files” option should be helpful (search for sy306-team… for example, so you can change any absolute links you might have)

C.     In your “secure” folder, implement defensive measures to prevent the attacks that your colleagues might come up with for your website. Do NOT modify the files outside the “secure” folder. Do NOT modify the tables in your database. If needed, create new tables with a different name (ex Users_secure, Messages_secure). At the minimum, you must

a.       Limit input size for the post to some reasonable length (in Python)

b.      Do not store passwords in plain text (see example in “sessions” class on how to use a hash function in Python)

c.       Duplicate all/any JS checks in Python

d.      Mitigate the risk of HTML and JavaScript injections by escaping < and >

e.       Use parametrized queries (similar with the class examples) to the database to prevent SQL injections

f.       Implement the “secret /CSRF” token approach or captcha to prevent Cross-site Request Forgery Attacks

 

You can implement any other security measures that you think will improve the security of your application

D.    Document your changes and security measures implemented in a file sy306_projectSecurityImplementation_teamX.docx. If your team had any security defense implemented for the initial project, describe that in the document too. 

 

 

Deliverables

  1. All of your files should be in a folder called "secure" (without the quotes) on the Team Web drive. Your instructor will assume that your web pages are viewable at http://mope.academy.usna.edu/sy306-teamX/secure/index.html or index.py or whatever entry page for you application is, where X is your team number.
  2. sy306_projectSecurityEva_teamX.docx in your “secure” folder should contain all the attacks that your team tried.
  3. Your project in “secure” folder should have the security measures we discussed implemented, so the attacks discovered by other teams will not work anymore.
  4. sy306_projectSecurityImplementation_teamX.docx in your “secure” folder should have a description of all the security measures implemented

5.      Paper submission. Each team should turn in the following hardcopy at the beginning of class on the due date, stapled together in the following order (coversheet on top):

    1. A completed assignment coversheet.  Your comments will help us improve the course.
    2. The paper copy of the completed sy306_projectSecurityEval_teamX.docx
    3. The paper copy of the completed sy306_projectSecurityImplementation_teamX.docx