In this assignment you will take on the role of Web Security Advisor. You will be asked to use your expertise on websecurity to analyse 1) some live websites and 2) some code. This assignment assumes you're familiar with the techniques presented during the lectures. Apart from that, it is assumed that you like solving puzzles. :) Don't worry, the majority of the assignments won't be that hard. The final product will be a concise report of your findings.
For assignments 2.4 and 2.7, you will need a password. You will receive an e-mail message with a password at email@example.com from Bas de Haas on or before Monday, March 15. When you arrive at the URL for the assignment, you first need to login using your student login and the password you got by e-mail. After this, you'll be able to see the site that is the target of the assignment. (Note that this sandbox is not the target of these assignments....)
A colleague is developing a special type of wiki. Part of it is this code.
Have a look at the following PHP code snippet. Is this code secure? (No.) Give an example of user input that could have severe consequences. How would you modify the code to prevent this?
The first live site you'll have to audit is an example of a typical content-management-system driven website.
The content-editing module of this website is absolutely guaranteed to be secure, and therefore been omitted from this audit. You may thus focus all your attention on investigating whether possibly exploitable insecurities exist in the content-presentation part of the website.
To make further development flexible, the commisioner of this evaluation requests that, if you find a possible security breach, you suggest at least two possible fixes. As logins will not be publically available, they won't be available to you either. In the final product logins will only be provided to fully trusted, thoroughly screened employees that will not leak classified information.
The second live site you'll have to audit is a proto-type for secure mark administration (login required, see 'Before you begin'). If you like to logout as student, you can do this here.
On the mark administration site itself, normal users (e.g. students) are supposed to be able login and check the (partial) marks for the courses they're enrolled in. Powerusers (e.g. lecturers) are provided an editable overview of these marks all students enrolled in the courses they're teaching. Normal users should -not- be able to assume a poweruser role or otherwise acquire poweruser priviliges.
During the testphase, you can use your regular CS login name to login. The password you should use is again your normal CS login, but in reverse. (So you can login as other INP participants if you know their logins..) Please investigate whether this proto-type is properly armoured, and report on how possible weaknesses should be repaired.
Validation of user input is a very important aspect in web security. One of the most powerful tools one can use for validation are regular expressions. Mastering the syntax of regular expressions may not be easy, but when applied well it pays off with secure input to your web application. Answer the next questions concerning regular expressions.
The third live site you're asked to examine is an auctioning site. This site has two features that need to be checked for safety.
A: Biddings Several sellers offer 'items' on this site, visitors may place bids.
Bidders need not register, but they should enter a valid e-mail address so the seller
can contact them. All bids should be handled in a secure manner.
B: User info Visitors may request additional information on the sellers, but bots should be prevented from gathering this info. To achieve this, so-called 'captchas' have been used to make sure only real people have access.
Report on any security issues you find and describe how you would solve these.
Recently you learned alot more about web security. For this assignment, you'll be asked to study a calendar site.
The site can be reached through this link (login required, see 'Before you begin'). For your convenience, some meta-features are provided through this link.
Then the assignment itself. It is very simple: everything is possible! Only your SQL (injection) skills may restrict how far you'll get. Yes, you can become destructive. But wouldn't it be much nicer to become site administrator without doing anything destructive? Of course, you'll have to make some (educated) guesses about table and column names, but this is doable. Before anything else, you'll want to become a known user.
Some useful pointers:
Write a concise 'report' on your findings: what queries did you use, how and why? What was the result of this? And if you were to fix the security leaks in this website, how would you do this? List several actions that would contribute to improved safety on different levels. Think about the PHP level, but also about the database level.
Although this may seem like a lot, please note that we do not ask you to write actual solutions for all given security hazards. For assignments 2.3, 2.4, 2.6 and 2.7 you are asked to write down what the problem is and how you would solve this. For assignments 2.1, 2.2 and 2.5 you have to provide direct solutions with a short description if necessary. The most important website security issues are treated in this assignment, so after completion you should be able to develop secure websites!
You should send in your report in either Word (.doc) or PDF (.pdf) format. In your report you should describe your findings concisely. In other words: don't write an entire book. To help you in this, we impose a maximum of 5 pages A4 (in easily readable font size).
Submit using Submit. Note that the maximum filesize in submit is 2000 kb for this assignment (which ought to be more than enough). Don't forget to mention:
More submission details can be found here.
Some tips for this assignment: