Lab 3 Assignment (Web Security)



Similar documents
Web Application Security

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Advanced Web Security, Lab

WELCOME TO CITUS CLOUD LOAD TEST

EECS 398 Project 2: Classic Web Vulnerabilities

Secure Web Development Teaching Modules 1. Threat Assessment

Installation Guide. Research Computing Team V1.9 RESTRICTED

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Web Application Security Considerations

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

WebCruiser User Guide

How To Create A Virtual Private Cloud In A Lab On Ec2 (Vpn)

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Where every interaction matters.

Web Same-Origin-Policy Exploration Lab

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

Web Application Report

Livezilla How to Install on Shared Hosting By: Jon Manning

DVS-100 Installation Guide

Step by Step. Use the Cloud Login Website

Parental Control Setup Guide

Magento Security and Vulnerabilities. Roman Stepanov

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

USER CONFERENCE 2011 SAN FRANCISCO APRIL Running MarkLogic in the Cloud DEVELOPER LOUNGE LAB

Web application security

How to Log in to LDRPS-Web v10 (L10)

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Configure Single Sign on Between Domino and WPS

Chapter 9 PUBLIC CLOUD LABORATORY. Sucha Smanchat, PhD. Faculty of Information Technology. King Mongkut s University of Technology North Bangkok

Load testing with. WAPT Cloud. Quick Start Guide

Project 2: Web Security Pitfalls

DVS-100 Installation Guide

Online Vulnerability Scanner Quick Start Guide

JAVASCRIPT AND COOKIES

Zend Server Amazon AMI Quick Start Guide

AWS Account Setup and Services Overview

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Online Backup Guide for the Amazon Cloud: How to Setup your Online Backup Service using Vembu StoreGrid Backup Virtual Appliance on the Amazon Cloud

InHand Device Cloud Service DN 4.0 Quick Start Guide

INSTALLING KAAZING WEBSOCKET GATEWAY - HTML5 EDITION ON AN AMAZON EC2 CLOUD SERVER

Background (

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

Maximizing Performance on Cognos, Workflow, and BDMS

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Single Node Hadoop Cluster Setup

SQL Injection Attack Lab Using Collabtive

Tutorial: Using HortonWorks Sandbox 2.3 on Amazon Web Services

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Network Security, ISA 656, Angelos Stavrou. Snort Lab

Hands on Lab: Building a Virtual Machine and Uploading VM Images to the Cloud using Windows Azure Infrastructure Services

Akita International University Online Application System. Usage Manual

Dynamic DNS How-To Guide

Web Application Firewall

Criteria for web application security check. Version

Web attacks and security: SQL injection and cross-site scripting (XSS)

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

WebCruiser Web Vulnerability Scanner User Guide

Performing a Web Application Security Assessment

CPE111 COMPUTER EXPLORATION

Firewalls and Software Updates

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Lesson 7 - Website Administration

Preventing credit card numbers from escaping your network

Moving Drupal to the Cloud: A step-by-step guide and reference document for hosting a Drupal web site on Amazon Web Services

Source Code Management for Continuous Integration and Deployment. Version 1.0 DO NOT DISTRIBUTE

Edwin Analytics Getting Started Guide

Eucalyptus User Console Guide

owncloud Configuration and Usage Guide

Elastic Detector on Amazon Web Services (AWS) User Guide v5

1. Building Testing Environment

CycleServer Grid Engine Support Install Guide. version 1.25

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Cloud Homework instructions for AWS default instance (Red Hat based)

Easy Setup Guide for the Sony Network Camera

Connecting to HomeRun over the Web

Cloudera Manager Training: Hands-On Exercises

Rstudio Server on Amazon EC2

CASHNet Secure File Transfer Instructions

PaperStream Connect. Setup Guide. Version Copyright Fujitsu

SysPatrol - Server Security Monitor

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

Lucid Key Server v2 Installation Documentation.

Secure Web Browsing in Public using Amazon

IDS and Penetration Testing Lab III Snort Lab

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

USING CAMPUS ANYWARE OVER THE VPN (WINDOWS XP)

How to configure the DBxtra Report Web Service on IIS (Internet Information Server)

The Top Web Application Attacks: Are you vulnerable?

Online Fuzzy-C-Means clustering

Lab 3.4.2: Managing a Web Server

MICROSTRATEGY 9.3 Supplement Files Setup Transaction Services for Dashboard and App Developers

Gateway Apps - Security Summary SECURITY SUMMARY

Cloud Backup Express

Transcription:

CS 5910 Fundamentals of Computer/Network Security - 3 Credit Hours (Fall 2011 CS 5910 001 22383) Instructor: Chuan Yue Lab 3 Assignment (Web Security) Please follow the requirements and due date specified in the Syllabus to submit your work. Please also include a comment to tell me: How much time did you spend on this assignment? Acknowledgments: The usage of AWS (Amazon Web Services) cloud infrastructure for this lab exercise is enabled by an AWS Teaching Grant awarded to Dr. Chuan Yue in 2011. AWS account and EC2 (Elastic Compute Cloud) Instance Setup: please make sure to read the information at: http://www.cs.uccs.edu/~cyue/teaching/cs5910labmaterial/cs5910aws.html Important Note: Like other cloud service providers, Amazon uses the pay-as-you-go pricing model. In our lab exercises, normally (unless explicitly specified) you only need to create one EC2 instance. Meanwhile, please make sure to stop the running of your EC2 instance when you do not use it, so that Amazon will not charge to my account when we do not use its service. Please do not stop or start other people s instances. Lab Description: Students will identify two types of Web attacks in this Lab. One is Command Injection attacks, and the other is Cross Site Scripting (XSS) attacks. You need to answer the specified questions in the following lab content and steps, and submit your answers in a PDF or Word file. You are also required to answer a short survey after you finish the lab. Lab Content and Steps: 1. Reuse your EC2 instance created in Lab 1, and Lab 2. You need to start your Apache 2 and enable Web traffic if you have disabled them in Lab 2. (Note: the login URL is: https://cs5910uccs.signin.aws.amazon.com/console) 2. Command Injection Attack 2.1 Start your EC2 instance and the Apache 2 web server Question 1: (5 points) (a) What are the users and groups pre created on your EC2 instance? What is the main reason (in terms of security) for creating so many users and groups? (b) What are the running user and running group of those Apache 2 processes? Which Apache 2 configurations are used to specify the running user and running group? Why such configurations are used? 2.2 Host the extremeinsecure Web application on your EC2 Apache Web server by (1) wget http://www.cs.uccs.edu/~cyue/teaching/cs5910labmaterial/extremeinsecure.tar.gz (2) extract the.tar.gz file to the appropriate directory of the Apache 2 Web server Fall 2011 CS5910 001 22383 Lab 3 Web Security Page 1 of 5

(3) properly set the permissions of the extracted directory and files so that the nine.htm and one.php webpages in the extremeinsecure directory can be properly accessed by anyone through a Web browser, e.g., by typing (you need to use DNS of your EC2): http://ec2-107-22-61-168.compute-1.amazonaws.com/extremeinsecure Question 2: (5 points) (a) What are the permissions that you have assigned to the extremeinsecure directory and the files in it (you can run ls l and copy the results from the screen)? 2.3 Identify and verify the command injection vulnerability in this Web application. Question 3: (15 points) (a) What is that vulnerability and how did you figure it out? What are the risks due to this vulnerability? (Hint: you may identify the vulnerability by either trying this Web application, doing a source code inspection, or running a third party Web application vulnerability scanning tool). (b) Demonstrate this vulnerability by using at least three attack examples. You need to provide the details about the attack procedure, input, and the corresponding output for each example. 2.4 Perform a special attack by using the following steps: (1) Create a directory named confidential under the /var directory. (2) Create a file named bankinfo.txt in the confidential directory contains such a sentence: I have $1,00,000 in my bank account. I am so happy because NO ONE can know this. Yay!! (3) Change the owner of the confidential directory and bankinfo.txt to the current running user of those Apache 2 processes. (Hint: use chown command) (4) Set the permission of the confidential directory so that it is only readable, writable, and executable by the owner. Other users do not have any access right to this directory. (5) Set the permission of bankinfo.txt so that it is only readable and writable by the owner. Other users do not have any access right to this file. Question 4: (15 points) (a) What are the permissions that you have assigned to the confidential directory and the bankinfo.txt file (you can run ls l and copy the results from the screen)? (b) Demonstrate that you can take advantage of the above identified vulnerability to read the content of bankinfo.txt by only using a browser on any computer. You need to provide the details about the attack procedure, input, and the corresponding output. Fall 2011 CS5910 001 22383 Lab 3 Web Security Page 2 of 5

(c) Demonstrate that you can take advantage of the above identified vulnerability to change the content of bankinfo.txt (still only using a browser on any computer) to: I have $2,00,000 in my bank account. I am so happy because NO ONE can know this. Yay!! That is, only the amount of the money is doubled. The size of the bankinfo.txt file does not change. You need to provide the details about the attack procedure, input, and the corresponding output. (d) Analyze why such a confidential file outside of the Apache www directory can be read and modified. 2.5 Propose a solution to fix the command injection vulnerability in this Web application. Also propose a solution to further reduce the potential risks that can be introduced by the Apache server to this Linux system (Hint: for this solution, you can either consider enforcing file create/access policies or consider changing Apache configurations). Question 5: (15 points) Describe your solutions and verifications. 3. Cross Site Scripting (XSS) attack 3.1 Host the XSS Web application on your EC2 Apache Web server by (1) wget http://www.cs.uccs.edu/~cyue/teaching/cs5910labmaterial/xss.tar.gz (2) extract the.tar.gz file to the appropriate directory of the Apache 2 Web server (3) properly set the permissions of the extracted directory and files so that webpages in the XSS directory can be properly accessed by anyone through a Web browser, e.g., by typing (you need to use DNS of your EC2): http://ec2-107-22-61-168.compute-1.amazonaws.com/xss 3.2 Visit the XSS Web application using a browser (1) You will see two links as shown below. click the First, visit this page! link to visit setgetcookie.htm (2) On setgetcookie.html, fill the username/password form, click Set cookie and then Show cookie buttons to make sure this website set a cookie to your browser Fall 2011 CS5910 001 22383 Lab 3 Web Security Page 3 of 5

(3) go back and click the Then, visit this page! link to visit malurl.htm You will see two links on this malurl.htm page as shown below, but both of them do not work right now. (4) change the malurl.htm of your XSS Web application, so that when you click the first EMC's RSA Security Breach May Cost Bank Customers $100 Million link, the cookie stored on your browser for this website will be sent to an attacker s server (that s my EC2 instance) using an HTTP GET request with the following format: Note: you must use the above address and format, so that the stealcookie.php on my EC2 instance can receive and verify your submission record. Here, COOKIES means the complete cookie content save on your browser for this website (i.e., document.cookie), so it should include a pair of username and password values. The file stealcookie.php is also included in XSS.tar.gz, so that you can use it to test your attack locally on your EC2 instance before actually sending the stolen cookies crossside to my EC2 instance. Hint: there could be multiple solutions. One solution is to simply replace the current href value ("#") of the first link in malurl.htm with a piece of JavaScript code; nothing else needs to be changed. Note that if you use this solution and if you move the mouse over the link, you may notice that my EC2 address information (ec2-107-22-79-75) is shown on the status bar of your browser. So, a security conscious user may notice this and may not be tricked to click the link. Question 6: (15 points) What are your changes to the malurl.htm file? What is the public DNS of your EC2 instance used in this task? What are your verification results? Explain this XSS attack. (5) Make the attack stealthier, so that when you move the mouse over the second link, my EC2 address information (ec2-107-22-79-75) will not be shown on the status bar of your browser. In this case, a security conscious user may also be tricked to click the second link. Still, when you click this second EMC's RSA Security Breach May Cost Bank Customers $100 Million link, the cookie stored on your browser for this website will be sent to an attacker s server (that s my EC2 instance) using an HTTP GET request with the following format: Fall 2011 CS5910 001 22383 Lab 3 Web Security Page 4 of 5

Note: you must use the above address and format, so that the stealcookie.php on my EC2 instance can receive and verify your submission record Hint: there could be multiple solutions. One simple solution is to simply add a redirectpage.htm webpage in the XSS directory; you don t need to change malurl.htm because redirectpage.htm has been specified in it. Question 7: (15 points) Describe the details of your solution. If you use the redirectpage.htm solution, please provide the content of this file. What is the public DNS of your EC2 instance used in this task? What are your verification results? (6) Basically, the above two links illustrated the persistent (or stored) XSS attacks. That is, if an attack can store those links on your legitimate webpages or websites, they can perform attacks such as cookie stealing. This XSS Web application is also vulnerable to non-persistent (or reflected) XSS attacks. In this task, demonstrate that the above cookie stealing attacks can happen by using reflected XSS attacks. In other words, reflected XSS attacks can also send the cookie stored on your browser for this website to an attacker s server (that s my EC2 instance) using an HTTP GET request with the following format: Note: you must use the above address and format, so that the stealcookie.php on my EC2 instance can receive and verify your submission record Hint: you don t need to make any change to this existing XSS Web application. You simply need to demonstrate the vulnerability by cleverly constructing input to this XSS Web application. Question 8: (15 points) Describe the details of your attacks (including the input you used). What is the public DNS of your EC2 instance used in this task? What are your verification results? Fall 2011 CS5910 001 22383 Lab 3 Web Security Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information