Assignment 2: Website Security

Introduction

In this assignment you will take on the role of Web Security Advisor. You will be asked to use your expertise on websecurity to analyse 1) some live websites and 2) some code. This assignment assumes you're familiar with the techniques presented during the lectures. Apart from that, it is assumed that you like solving puzzles. :) Don't worry, the majority of the assignments won't be that hard. The final product will be a concise report of your findings.

Before you begin

For assignments 2.4 and 2.7, you will need a password. You will receive an e-mail message with a password at login@cs.uu.nl from Bas de Haas on or before Monday, March 15. When you arrive at the URL for the assignment, you first need to login using your student login and the password you got by e-mail. After this, you'll be able to see the site that is the target of the assignment. (Note that this sandbox is not the target of these assignments....)

Assignment 2.1: A nice piece of work

A colleague is developing a special type of wiki. Part of it is this code.

  1. What does it do? Describe the functionality.
  2. Obviously, the editing function is important for a wiki. In its current version, user input may break this functionality forever. Find and describe a way to circumvent this, making the editing functionality permanent.
  3. The user trust-policy says that only properly registered users should be allowed full functionality, others may only see the current state of the wiki without editing. Describe how you'd adapt the code for this.
  4. This type of wiki has rather powerful properties. This scares the system administrators: they demand that they can control which functions cannot be called by the script. They want to be able to define this in a file called 'youshallnot.txt' (one function name per line). Describe how you'd adapt the code to read that file, and make sure those functions cannot be called - While, at the same time, maintaining script functionality as much as possible.

Assignment 2.2: Updating a user profile

Have a look at the following PHP code snippet. Is this code secure? (No.) Give an example of user input that could have severe consequences. How would you modify the code to prevent this?

Assignment 2.3: Fashion Globe Deluxe

The first live site you'll have to audit is an example of a typical content-management-system driven website.

The content-editing module of this website is absolutely guaranteed to be secure, and therefore been omitted from this audit. You may thus focus all your attention on investigating whether possibly exploitable insecurities exist in the content-presentation part of the website.

To make further development flexible, the commisioner of this evaluation requests that, if you find a possible security breach, you suggest at least two possible fixes. As logins will not be publically available, they won't be available to you either. In the final product logins will only be provided to fully trusted, thoroughly screened employees that will not leak classified information.

Assignment 2.4: Mark administration

The second live site you'll have to audit is a proto-type for secure mark administration (login required, see 'Before you begin'). If you like to logout as student, you can do this here.

On the mark administration site itself, normal users (e.g. students) are supposed to be able login and check the (partial) marks for the courses they're enrolled in. Powerusers (e.g. lecturers) are provided an editable overview of these marks all students enrolled in the courses they're teaching. Normal users should -not- be able to assume a poweruser role or otherwise acquire poweruser priviliges.

During the testphase, you can use your regular CS login name to login. The password you should use is again your normal CS login, but in reverse. (So you can login as other INP participants if you know their logins..) Please investigate whether this proto-type is properly armoured, and report on how possible weaknesses should be repaired.

Assignment 2.5: Validation with regular expressions

Validation of user input is a very important aspect in web security. One of the most powerful tools one can use for validation are regular expressions. Mastering the syntax of regular expressions may not be easy, but when applied well it pays off with secure input to your web application. Answer the next questions concerning regular expressions.

  1. Give a regular expression that checks whether a string is valid IPv6 address. (case insensitive, leading zeroes may be omitted, but don't allow :: as a replacement for 0000 (so, here, 2001::2344 should be invalid.)
  2. Give a regular expression that checks whether a string is a full name with at least a first and last name. (Allowed formats: Pino van Sesamstraat, dhr. Ome Willem, Mevrouw Stemband, dhr. prof. dr. Arno P.J.M. Siebes)
  3. Write a piece of PHP code that checks whether a string is a valid date in dd-mm-yyyy format. Do no use any of PHP's date functions, but do use regular expressions. (A date is valid iff the year is in the range [1-9999] and the day/month/year combination is possible; for example, 30-02-2007 is not a valid date.)
  4. /^[A-Z0-9._-]+\.[A-Z0-9._-]+\.[A-Z]{2,4}\/?[A-Z0-9/._-]*$/i
    This regular expression should check whether a URL is valid. Why is it not perfect? How would you improve it?

Assignment 2.6: inpPlaats

The third live site you're asked to examine is an auctioning site. This site has two features that need to be checked for safety.

A: Biddings Several sellers offer 'items' on this site, visitors may place bids. Bidders need not register, but they should enter a valid e-mail address so the seller can contact them. All bids should be handled in a secure manner.
B: User info Visitors may request additional information on the sellers, but bots should be prevented from gathering this info. To achieve this, so-called 'captchas' have been used to make sure only real people have access.

Report on any security issues you find and describe how you would solve these.

Assignment 2.7: SafCal

Recently you learned alot more about web security. For this assignment, you'll be asked to study a calendar site.

The site can be reached through this link (login required, see 'Before you begin'). For your convenience, some meta-features are provided through this link.

Then the assignment itself. It is very simple: everything is possible! Only your SQL (injection) skills may restrict how far you'll get. Yes, you can become destructive. But wouldn't it be much nicer to become site administrator without doing anything destructive? Of course, you'll have to make some (educated) guesses about table and column names, but this is doable. Before anything else, you'll want to become a known user.

Some useful pointers:

Write a concise 'report' on your findings: what queries did you use, how and why? What was the result of this? And if you were to fix the security leaks in this website, how would you do this? List several actions that would contribute to improved safety on different levels. Think about the PHP level, but also about the database level.

Final words

Although this may seem like a lot, please note that we do not ask you to write actual solutions for all given security hazards. For assignments 2.3, 2.4, 2.6 and 2.7 you are asked to write down what the problem is and how you would solve this. For assignments 2.1, 2.2 and 2.5 you have to provide direct solutions with a short description if necessary. The most important website security issues are treated in this assignment, so after completion you should be able to develop secure websites!

Important

You should send in your report in either Word (.doc) or PDF (.pdf) format. In your report you should describe your findings concisely. In other words: don't write an entire book. To help you in this, we impose a maximum of 5 pages A4 (in easily readable font size).

Submit using Submit. Note that the maximum filesize in submit is 2000 kb for this assignment (which ought to be more than enough). Don't forget to mention:

More submission details can be found here.

Tips & tricks

Some tips for this assignment:


lennart@cs.uu.nl