IT350: Web & Internet Programming

Lab 9: Web Application Security

Introduction

We talked about security this week, and you're well on your way with your project. For this lab, we will practice web security offense and defense on you and your classmates' projects.


First 10 Minutes: Project Backup

Each person on the team: create a folder on your Web drive called "Lab09"

Then copy your team project to your Lab09 directory so you will have a copy of the project that can be safely hacked/broken.

To ensure that permissions are set correctly on this new Lab09 directory, ssh into mich316csdYYu.academy.usna.edu (you can use 01 to 20 for YY). Use putty or some other tool. Use your normal credentials. Type the following (replace XXXXXX with your alpha) at the command prompt:

cd public_html

setfacl -R -m u:www-data:rwx Lab09

setfacl -R -dm u:www-data:rwx Lab09

setfacl -R -m u:mXXXXXX:rwx Lab09          

setfacl -R -dm u:mXXXXXX:rwx Lab09

Make all the modifications needed so your project works correctly in your Lab09 directory. Note that if you used relative links in your project, this should be an easy task. Notepad++’s "Find in files" option should be helpful (search for it350-teamX, for example).


50 Minutes: Hack Attack (in teams)

For this part, you and your teammates will attack the projects created by the other teams in your section (teams 1, 2, and 6 in period 3 : teams 3-6 in period 2). Each team starts with attacking the project created by the "next" team in your section (team 1 attacks team 2, team 2 attacks team 3, etc, and team 6 attacks team 1). Do not attack the actual team website, but one of the zee copies.

Your attacks should attempt to create unexpected behavior for the application (for example through HTML injections or Java Script injections), gain access to protected pages, gather passwords, etc.

All attacks, successful or not, must be documented in such a way that the instructor can reproduce. Have one team member download your attack reporting document and store it in their Lab09 directory. Record all attacks and your results in this document.


50 Minutes: Defense (in teams)

Implement defensive measures to prevent the attacks that your classmates just used on you. Implement them on your main team code, not the zee copies. Even if the attacks were not very successful, you still must implement logical defenses. At the minimum, you must:

  • Prevent directory listing (have index.html in each directory)
  • Protect sensitive files (change .txt extension to .txt.pl)
  • Do not store passwords in plain text (use crypt or other hashing function)
  • Duplicate all JS checks in Perl
  • Limit input size (in Perl) (use substr in Perl)
  • Prevent HTML and JavaScript injections by escaping < and >
  • Make sure all scripts/pages that are in the "member" or "admin" areas check the cookies and do not display unless the correct cookies are set

Keep track of your defenses on your defense log.

Deliverables

  1. Hand in one copy per team of the attackReporting.docx document. It should describe all of the attacks that your team tried.
  2. Hand in one copy per team of the defenseReporting.docx document. It should describe all of the defenses you implemented.
  3. Your team directory should have the security measures listed in the defense document. We expect you to have blocked everything the other teams found, as well as the minimum defense requirements listed above.