SY306 – Web and Databases for Cyber Operations
For this project, you will practice web security offense and defense, on your and your classmates’ projects.
This project will do done in teams, the same teams as for project 1.
1. Create a zip file containing everything on your /web/html/sy306-teamX folder
2. If you did not submit your zip file on Blackboard for Project 1 (one submission per team required), do that now
3. Create a folder on your team web drive (/web/html/sy306-teamX) called "secure" (without the quotes) and store your work in that directory.
4. Copy – do not move - your team project files in your “secure” directory on the team drive – make sure you do not move the files, so the original files can still be used.
5. Save the current state of your database, so you can later restore it if needed:
From the command line:
i. ssh into mope.academy.usna.edu
ii. on the shell on mope, execute the following commands:
mysqldump -u mYYYYYY -p -h mope sy306teamX > initialProjectDB_teamX.sql
iii. Check that the file initialProjectDB_teamX.sql was created in your “secure” folder
Part 1: Offense
For this part, you and your teammates will attack the project of the “next” team (team 1 attacks team 2, team2 attacks team 3, …, team6 attacks team 1) and a sample project provided by your instructor and available at http://mope.academy.usna.edu/~adina/sy306/toAttack/proj1-teamX/index.py .
All attacks, successful or not, must be documented in such a way that the instructor can reproduce. Download sy306_projectSecurityEval.docx from here (right-click and "Save link as...") and store it in your “secure” project directory. Record all attacks and their results in this document. Include screenshots if needed.
Part 2: Defense
A. Make sure all your files for the project are copied to your “secure” sub-folder. All the modification for this project will be done in this folder. Do NOT modify the files outside the “secure” folder.
B. Make all the modifications needed so your project works correctly/as before from your “sy306-teamX/secure” directory. Note that if you used relative links in your project, this should be an easy task. Notepad++’s “Find in files” option should be helpful (search for sy306-team… for example, so you can change any absolute links you might have)
C. In your “secure” folder, implement defensive measures to prevent the attacks that your colleagues might come up with for your website. Do NOT modify the files outside the “secure” folder. Do NOT modify the tables in your database. If needed, create new tables with a different name (ex Users_secure, Messages_secure). At the minimum, you must
a. Limit input size for the post to some reasonable length (in Python)
b. Do not store passwords in plain text (see example in “sessions” class on how to use a hash function in Python)
c. Duplicate all/any JS checks in Python
e. Use parametrized queries (similar with the class examples) to the database to prevent SQL injections
f. Implement the “secret /CSRF” token approach or captcha to prevent Cross-site Request Forgery Attacks
You can implement any other security measures that you think will improve the security of your application
D. Document your changes and security measures implemented in a file sy306_projectSecurityImplementation_teamX.docx. If your team had any security defense implemented for the initial project, describe that in the document too.
5. Paper submission. Each team should turn in the following hardcopy at the beginning of class on the due date, stapled together in the following order (coversheet on top):