微信客服:xiaoxionga100
微信客服:ITCS521
程序代写案例-FIT 2093-Assignment 2
时间:2021-05-16
Monash University
FIT 2093 Introduction to Cyber Security
Assignment 2: Web Hacking Challenge
DUE DATE: Friday 28 May 2021 11:59pm GMT.
In this assignment, your goal is to do security testing of a mini web application to try find
vulnerabilities in it using techniques covered in our Web security lecture, and exploit them to break the
app’s security. You can access the web application at the following URL:
http://3.24.26.64/websecrets.php
This web app gives access to executive board members of a `Web Secrets’ society to access some
secret executive board information, and also allows regular registered society members to access some
personal private information.
Visit the homepage for the web application at the URL above using your web browser. If all is well, the
browser should display a page that looks like this:
Tasks. Your task is to perform the following security tests on this web application. You should perform
these tests using the Firefox web browser installed in your Ubuntu64 lab VM, and the burpsuite tool
installed in this VM.
Part A: Executive Board Member Security Test
In this part, your aim is to do security testing of the secret executive board member information part of
the web application, from the point of view of an outsider (non-member) attacker trying to reveal the
secret executive board information. To help you with this, you are given the login credentials of one of
the registered executive board members (however, note that an outsider attacker will not know these
credentials):
Username: Cathy
Password: Se46b0024bTc;3
Location: Melbourne
After clicking the View Executive Report with the above credentials, the browser should display a
greeting page for Cathy. Then, after entering the report details (Year: 2021, Month: May, Department:
Cybersecurity) into the greeting page and clicking the “View Executive Report” button, you should see
the following secret report:
● Task A.1 (1 mark) Based on the application behavior for Cathy’s given login and report details
above, list potential points on the home and greeting pages where a reflected XSS vulnerability
input injection point might exist, and explain your reason/s.
● Task A.2 (1.5 mark) Experiment with the home page login and executive board member
greeting page, and examining the behavior of these pages to different inputs. For each of the
potential points listed in task A.1, perform tests to see if reflected XSS vulnerabilities exist at
these points for an attack against Cathy by an outsider attacker, to allow the attacker to steal
executive board member information. Explain your tests, your test results, and your
interpretation/conclusions on why or why not such reflected XSS vulnerabilities exist at each
point and if so, which ones you think could be exploited.
Part B: Personal Private Information Security Test
In this part, your aim is to do security testing of the society members’ personal private information part
of the web app. For this, you are given one of the society members name and password, namely:
Member Name: Alice
Member password: Q235d95bh4,b
● Task B.1 (2.5 marks) Try logging in to the personal private information page, accessible via
the link at the bottom of the main page of Alice using her credentials above. Alice has two
private documents stored in her account with IDs 1 and 2. Your goal in this task is to test the
application against attacks by Alice who is curious to learn about another society member Bob’s
private information. Can Alice gain unauthorised access to Bob’s personal private data?
If so, explain the vulnerability you found and how Alice can exploit it, giving any private
member data of Bob you managed to expose. In any case, explain the tests you did and why, the
results, and your interpretation of them.
Hints: Experiment with the personal private information part of the web app to see how it
behaves with different inputs from Alice. Use the burpsuite tool (see week 11 lab) to help with
your experiments and try out potential attacks.
Remark: You should assume the attacker will NOT have any network eavesdropping/modification
access (the current web application under test is running on an unencrypted http connection, but to
protect against network eavesdropping/modification will be implemented over an encrypted https
connection in the final production version).
Submission
Submit a report consisting of your answers to Tasks A.1, A.2 and B.1. You should include some screen
shots to illustrate your main results. The max.page limit for the report is 7 pages including screenshots.
Upload the file in PDF format on Moodle by Friday 28 May 2021 11:59pm GMT.
Marking rubrics: The 5 marks allocated for this assignment will be distributed among the tasks as
indicated above. For each of those tasks, 30% of the marks will be based on the reasoning for testing
methods used, 30% on correctness of the vulnerability testing and/or exploitation technique, 30% on
correctness/interpretation of results, and the remaining 10% to the written answer editorial quality
(clarity, accuracy, style).
学霸联盟
FIT 2093 Introduction to Cyber Security
Assignment 2: Web Hacking Challenge
DUE DATE: Friday 28 May 2021 11:59pm GMT.
In this assignment, your goal is to do security testing of a mini web application to try find
vulnerabilities in it using techniques covered in our Web security lecture, and exploit them to break the
app’s security. You can access the web application at the following URL:
http://3.24.26.64/websecrets.php
This web app gives access to executive board members of a `Web Secrets’ society to access some
secret executive board information, and also allows regular registered society members to access some
personal private information.
Visit the homepage for the web application at the URL above using your web browser. If all is well, the
browser should display a page that looks like this:
Tasks. Your task is to perform the following security tests on this web application. You should perform
these tests using the Firefox web browser installed in your Ubuntu64 lab VM, and the burpsuite tool
installed in this VM.
Part A: Executive Board Member Security Test
In this part, your aim is to do security testing of the secret executive board member information part of
the web application, from the point of view of an outsider (non-member) attacker trying to reveal the
secret executive board information. To help you with this, you are given the login credentials of one of
the registered executive board members (however, note that an outsider attacker will not know these
credentials):
Username: Cathy
Password: Se46b0024bTc;3
Location: Melbourne
After clicking the View Executive Report with the above credentials, the browser should display a
greeting page for Cathy. Then, after entering the report details (Year: 2021, Month: May, Department:
Cybersecurity) into the greeting page and clicking the “View Executive Report” button, you should see
the following secret report:
● Task A.1 (1 mark) Based on the application behavior for Cathy’s given login and report details
above, list potential points on the home and greeting pages where a reflected XSS vulnerability
input injection point might exist, and explain your reason/s.
● Task A.2 (1.5 mark) Experiment with the home page login and executive board member
greeting page, and examining the behavior of these pages to different inputs. For each of the
potential points listed in task A.1, perform tests to see if reflected XSS vulnerabilities exist at
these points for an attack against Cathy by an outsider attacker, to allow the attacker to steal
executive board member information. Explain your tests, your test results, and your
interpretation/conclusions on why or why not such reflected XSS vulnerabilities exist at each
point and if so, which ones you think could be exploited.
Part B: Personal Private Information Security Test
In this part, your aim is to do security testing of the society members’ personal private information part
of the web app. For this, you are given one of the society members name and password, namely:
Member Name: Alice
Member password: Q235d95bh4,b
● Task B.1 (2.5 marks) Try logging in to the personal private information page, accessible via
the link at the bottom of the main page of Alice using her credentials above. Alice has two
private documents stored in her account with IDs 1 and 2. Your goal in this task is to test the
application against attacks by Alice who is curious to learn about another society member Bob’s
private information. Can Alice gain unauthorised access to Bob’s personal private data?
If so, explain the vulnerability you found and how Alice can exploit it, giving any private
member data of Bob you managed to expose. In any case, explain the tests you did and why, the
results, and your interpretation of them.
Hints: Experiment with the personal private information part of the web app to see how it
behaves with different inputs from Alice. Use the burpsuite tool (see week 11 lab) to help with
your experiments and try out potential attacks.
Remark: You should assume the attacker will NOT have any network eavesdropping/modification
access (the current web application under test is running on an unencrypted http connection, but to
protect against network eavesdropping/modification will be implemented over an encrypted https
connection in the final production version).
Submission
Submit a report consisting of your answers to Tasks A.1, A.2 and B.1. You should include some screen
shots to illustrate your main results. The max.page limit for the report is 7 pages including screenshots.
Upload the file in PDF format on Moodle by Friday 28 May 2021 11:59pm GMT.
Marking rubrics: The 5 marks allocated for this assignment will be distributed among the tasks as
indicated above. For each of those tasks, 30% of the marks will be based on the reasoning for testing
methods used, 30% on correctness of the vulnerability testing and/or exploitation technique, 30% on
correctness/interpretation of results, and the remaining 10% to the written answer editorial quality
(clarity, accuracy, style).
学霸联盟
