微信客服:xiaoxionga100
微信客服:ITCS521
FIT3173-Lunix代写-Assignment 2
时间:2023-05-03
FIT3173 Software Security Assignment 2 (S1 2023)
Total Marks 50
Due on May 12, 2023, Friday, 11:55 pm
1 Overview
The learning objective of this assignment is for you to gain a first-hand experience on how to exploit SQL
injection and cross-site scripting vulnerabilities as discussed in this module. All tasks in this assignment can
be done on “SeedVM” as used in labs. Please refer to Section 2 for submission notes.
2 Submission
You need to submit a lab report (one single PDF file) to describe what you have done and what you have
observed with screenshots whenever necessary; you also need to provide explanation or codes to the obser-
vations that are interesting or surprising. In your report, you need to answer all the questions listed in this
manual. Please answer each question using at most 200 words. Typeset your report into .pdf format (make
sure it can be opened with Adobe Reader) and name it as the format: [Your Name]-[Student ID]-FIT3173-
Assignment, e.g., HarryPotter-12345678-FIT3173-Assignment.pdf.
All source code, if required, should be embedded in your report. In addition, if a demonstration video
is required, you should record your screen demonstration with your voice explanation and upload the video
to your Monash Google Drive or any online service which allows you to share videos. The shared URL
of the video should be mentioned in your report wherever required. You can use this free tool to make the
video: https://monash-panopto.aarnet.edu.au/ ; other tools are also fine. Then, please upload the PDF file to
Moodle. Note: the assignment is due on May 12, 2023, Friday, 11:55 pm.
Late submission penalty: 10 percent deduction per day (5 Marks). If you require a special con-
sideration, the application should be submitted and notified at least three days in advance. Special
Considerations are handled by and approved by the faculty and not by the teaching team (unless the special
consideration is for a small time period extension of one or two days).
Zero tolerance on plagiarism: If you are found cheating, penalties will be applied, i.e., a zero grade for
the unit. University polices can be found at https://www.monash.edu/students/academic/
policies/academic-integrity
3 SQL Injection Attack – Using SQLi Lab [25 Marks]
In this part, we modify a web application called SQLi Lab, which is designed to be vulnerable to the
SQL-Injection attack. Although the vulnerabilities are artificially created, they capture the common mis-
takes made by many web developers. Your goal in this part is to find ways to exploit the SQL-injection
vulnerabilities, demonstrate the damage that can be achieved by the attacks, and master the techniques that
can mitigate such attacks.
The database of SQLi Lab, named Users, can be traced and manipulated when we login to MySQL
Console by using following commands:
1
mysql -u root -pseedubuntu
show databases;
use Users;
describe credential;
3.1 Warm Up: Countermeasure for SQL Injection Attacks
In the lab session, you have already conducted SQL injection attacks with SELECT and UPDATE statements.
In this warm-up part, we are going to use prepared statements to tackle the above attacks. We will use
UPDATE statements as the example.
Setup Remark: You need to set the read/write permission for the seed user on the current website directory
before doing this task by following the below commands on your terminal. Note that the . is important to
indicate the path to the current directory.
$ cd /var/www/SQLInjection/
$ sudo chmod -R 777 .
In this task, you need to enable the prepared statement as a countermeasure against the SQL injection
attacks. Here is an example of how to write a prepared statement based on the SELECT statement in Task 1.
$sql = "SELECT id, name, eid, salary, birth, ssn,
phoneNumber, address, email,nickname,Password
FROM credential
WHERE name= ’$input_uname’ and Password=’$hashed_pwd’";
You can use the prepared statement to rewrite the above code that is vulnerable to SQL injection attacks:
$stmt = $conn->prepare("SELECT id, name, eid, salary, birth, ssn,
phoneNumber, address, email,nickname,Password
FROM credential
WHERE name= ? and Password= ?");
$stmt->bind_param("ss", $input_uname, $hashed_pwd);
$stmt->execute();
$stmt->bind_result($id, $name, $eid, $salary, $birth, $ssn,
$phoneNumber, $address, $email, $nickname, $pwd);
$stmt->fetch();
$stmt->close();
Practice Task: Following the above steps to fix the SQL injection vulnerability of UPDATE statement
on the Edit Profile page. Then, check whether you can still exploit the vulnerability or not.
Hint: the UPDATE statement is located in unsafe edit backend.php.
3.2 Task 1: SQL Injection via Stacked Queries [Max 25 Marks]
In this task, you need to perform SQL injection attacks to achieve different adversarial goals.
2
We have extended SQLi Lab to assist you completing this task. You need to download all PHP source
files of unsafe home.php, unsafe edit frontend.php, unsafe task load.php, unsafe view order.php,
and unsafe tasks view.php from Moodle and place them to the same website’s directory. For in-
stance, you can follow a below command to copy the file unsafe home.php located in /home/seed/Documents
to that website’s directory.
$ su root
Password: (enter root password "seedubuntu")
# cp /home/seed/Documents/unsafe_home.php /var/www/SQLInjection/
We also upgraded the database of SQLi Lab to enrich the website’s features. That are, a user can
add tasks, set task sort preference, and view all his/her declared tasks. Note that you need to download a
database script file, script.sql, from Moodle and execute it with MySQL Console before you can use
these new features. For instance, you can follow the below commands to execute that script when it is stored
in /home/seed/Documents. The execution will update your database scheme and insert new data as
follows:
mysql -u root -pseedubuntu
show databases;
use Users;
source /home/seed/Documents/script.sql
• Table tasks(TaskID,Name,Hours,Amount,Description,Owner,Type) stores the tasks
of users, in which tasks(Owner) is a foreign key referring to credential(ID). Hence, only
existing users in the table credential can create new tasks.
You can use the command describe tasks; to know more information about this table scheme.
• Table preference(PreferenceID,favourite,Owner) records the task sort preference of
users, in which preference(Owner) is a foreign key referring to credential(ID). Existing
users can select one of the task information as their sorting preference. For instance, a following figure
demonstrates how Alice can set her preference as Hours increasing. You can use the command
describe preference; to know more information about this table scheme.
• Function userIdMaxTasks() returns the ID of a user who has the maximum number of tasks in
your database. In MySQL console, you can use the command select userIdMaxTasks(); to
retrieve that result.
• Function generateRandomUser() adds a new random user (with random Name and Password
to the table credential). In MySQL console, you can use the command select generateRandomUser();
to perform this addition.
3
• Function getNewestUserId() returns the ID of a newly created user in the table credential.
• Stored procedure copyTasksToUser(in userID int(6) UNSIGNED) copies all tasks of
other users to the user having that userID. You need to make sure the user with that userID exists
in the table credential before using this stored procedure. For instance, in MySQL console,
you can use the command call copyTasksToUser(6); to copies all tasks of other users to an
existing user with userID=6.
Q1: In a normal scenario, a user can add a new task multiple times and update his/her view preference
with sorting by asc or desc. However, the website is vulnerable to the SQL injection attack when
the user views all tasks. You can choose one of the following options to complete this task. But
option 2 will allow you to obtain the full marks of this question. Note that, you will get 0 mark if
you complete the task by not performing SQL injection via the web application (i.e. manipulate
the database manually in MySQL console).
Option 1 (10 marks): You need to perform the attack to display all the tasks of the user who has the
maximum number of tasks when you view your tasks. Provide your video demonstration evidence to
support and verify that you have performed the attack and it worked successfully. Also, brief explain
how to achieve the attack goal with your solution. [Marking scheme: In your recording, 5 marks are
given if the attack is running successfully, 10 marks only given if you have a solid demonstration and
explanation about how you inject queries and the attack works in your case.]. You need embed your
video link in your report so that the teaching team can view and verify your work.
If you achieve the adversarial goal successfully, you will obtain the result like the following figure. Note
that, the second table in the figure displays the tasks of that victim.
Option 2 (15 marks): Two tasks:
1. Perform a sequence of the SQL injection attacks in order to transfer all the tasks of users to a new
malicious user that you created. Note that creating that malicious user also has to be done by using
the SQL injection attack. [10 Marks]
If you achieve the adversarial goal successfully, you will obtain the result like the following figure.
Note that, the second table in the figure displays the malicious user who has the maximum number of
tasks. The first table is blank due to no task remains for Ted user.
4
2. Find out the username of the malicious user, that you have created in the first step, and change its
password to your student ID. Show a successful login to the application. [5 Marks]
Provide your video demonstration evidence to support and verify that you have performed the attacks
and it worked successfully. Also, brief explain how to achieve the attack goal with your solution.. You
need embed your video link in your report so that the teaching team can view and verify your work.
Q2 (5 marks) This question is independent from your selected option in Q1. In this question, you need
to perform a SQL injection attack on SQLi Lab to attack the performance of your MySQL server.
[Marking scheme: In your recording, 3 marks are given if the attack is running successfully,
5 marks only given if you have a solid demonstration and explanation about how the attack
works in your case.]. You need embed your video link in your report so that the teaching team can
view and verify your work.
Hint: you can delay the query execution or shut down your MySQL server when a user views his/her
declared tasks.
Q3 (5 marks): Can the prepared statements, used in the warm-up task, mitigate a second order SQL
injection attack? Why or why not? You do not need to change the PHP source files for this question,
only theoratical explanation is required. [Marking scheme: 5 marks for the solid explanation
about why prepared statements can/cannot be used to mitigate second order attacks.]
4 Cross-Site Scripting (XSS) Attack – Using Elgg [25 Marks]
To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web application
named Elgg in our pre-built Ubuntu VM image. Elgg is a very popular open-source web application for
social network, and it has implemented a number of countermeasures to remedy the XSS threat. To demon-
strate how XSS attacks work, we have commented out these countermeasures in Elgg in our installation,
intentionally making Elgg vulnerable to XSS attacks. Without the countermeasures, users can post any
5
arbitrary message, including JavaScript programs, to the user profiles. You need to exploit this vulnerability
by posting some malicious messages to their profiles; users who view these profiles will become victims.
4.1 Task 1: Modifying the Victim’s Profile [10 Marks]
The objective of this task is to modify the victim’s profile when the victim visits Samy’s page. We will write
an XSS worm to complete the task.
1. Send a message from victim’s profile to Samy with victim’s browser cookie.
2. Add Samy as a friend in the victims profile.
We need to write a malicious JavaScript program that forges HTTP requests directly from the victim’s
browser, without the intervention of the attacker. To modify profile, we should first find out how a legitimate
user edits or modifies his/her profile in Elgg. More specifically, we need to figure out how the HTTP
POST/GET request is constructed to modify a user’s profile. We will use Firefox’s HTTP inspection tool.
Once we understand how the modify-profile HTTP POST/GET request looks like, we can write a JavaScript
program to send out the same HTTP request. We provide a skeleton JavaScript code that aids in completing
the task.
The provided code should be placed in the “About Me” field of Samy’s profile page. This field provides
two editing modes: Editor mode (default) and Text mode. The Editor mode adds extra HTML code to the
text typed into the field, while the Text mode does not. Since we do not want any extra code added to our
attacking code, the Text mode should be enabled before entering the above JavaScript code. This can be
done by clicking on “Edit HTML”, which can be found at the top right of the “About Me” text field.
Q1 (10 marks): Accomplish the above attack, and provide your screenshots in your report and the
corresponding explanation to support and verify that you have performed the attack and it worked
successfully. [Marking scheme: 2 marks for the screenshots in the report, and 8 marks for the
explanation and solutions in the report]
Hint: You may use HTTP inspection tool to see the HTTP request look like.
4.2 Task 2: Writing a Self-Propagating XSS Worm [15 Marks]
In this task, you need to create an advanced XSS worm that can propagate itself. Namely, whenever some
people view an infected profile, not only will their profiles be modified, the worm will also be propagated to
their profiles, further affecting others who view these newly infected profiles.
The malicious code uses DOM APIs to retrieve a copy of itself from the web page, and sends HTTP
POST/GET requests to modify the others profile. You should try to embed this code into the malicious
user’s (i.e. Samy) profile in order to accomplish the above attack.
6
Q2 (15 Marks): You need to fill the “About Me” field in Samy’s profile with the malicious code (see
the figure below), and use Alice’s account to access Samy’s page to see what happened. Then, try
to use Boby’s account to access Alice’s page. Provide a video to demonstrate your observation
with sufficient explanations. You need to upload your demo video to your Monash Google Drive
and embed its shared link to your report so that the teaching team can view and verify your works.
[Marking scheme: In your recording, 5 marks are given if the attack is running successfully, 10
marks are only given if you have a solid demonstration and explanation about how the attack
works]
Note: A partially filled code is provided for this task.
Acknowledgement
This assignment are based on the SEED project (Developing Instructional Laboratories for Computer SE-
curity EDucation) at the website http://www.cis.syr.edu/˜wedu/seed/index.html.
Total Marks 50
Due on May 12, 2023, Friday, 11:55 pm
1 Overview
The learning objective of this assignment is for you to gain a first-hand experience on how to exploit SQL
injection and cross-site scripting vulnerabilities as discussed in this module. All tasks in this assignment can
be done on “SeedVM” as used in labs. Please refer to Section 2 for submission notes.
2 Submission
You need to submit a lab report (one single PDF file) to describe what you have done and what you have
observed with screenshots whenever necessary; you also need to provide explanation or codes to the obser-
vations that are interesting or surprising. In your report, you need to answer all the questions listed in this
manual. Please answer each question using at most 200 words. Typeset your report into .pdf format (make
sure it can be opened with Adobe Reader) and name it as the format: [Your Name]-[Student ID]-FIT3173-
Assignment, e.g., HarryPotter-12345678-FIT3173-Assignment.pdf.
All source code, if required, should be embedded in your report. In addition, if a demonstration video
is required, you should record your screen demonstration with your voice explanation and upload the video
to your Monash Google Drive or any online service which allows you to share videos. The shared URL
of the video should be mentioned in your report wherever required. You can use this free tool to make the
video: https://monash-panopto.aarnet.edu.au/ ; other tools are also fine. Then, please upload the PDF file to
Moodle. Note: the assignment is due on May 12, 2023, Friday, 11:55 pm.
Late submission penalty: 10 percent deduction per day (5 Marks). If you require a special con-
sideration, the application should be submitted and notified at least three days in advance. Special
Considerations are handled by and approved by the faculty and not by the teaching team (unless the special
consideration is for a small time period extension of one or two days).
Zero tolerance on plagiarism: If you are found cheating, penalties will be applied, i.e., a zero grade for
the unit. University polices can be found at https://www.monash.edu/students/academic/
policies/academic-integrity
3 SQL Injection Attack – Using SQLi Lab [25 Marks]
In this part, we modify a web application called SQLi Lab, which is designed to be vulnerable to the
SQL-Injection attack. Although the vulnerabilities are artificially created, they capture the common mis-
takes made by many web developers. Your goal in this part is to find ways to exploit the SQL-injection
vulnerabilities, demonstrate the damage that can be achieved by the attacks, and master the techniques that
can mitigate such attacks.
The database of SQLi Lab, named Users, can be traced and manipulated when we login to MySQL
Console by using following commands:
1
mysql -u root -pseedubuntu
show databases;
use Users;
describe credential;
3.1 Warm Up: Countermeasure for SQL Injection Attacks
In the lab session, you have already conducted SQL injection attacks with SELECT and UPDATE statements.
In this warm-up part, we are going to use prepared statements to tackle the above attacks. We will use
UPDATE statements as the example.
Setup Remark: You need to set the read/write permission for the seed user on the current website directory
before doing this task by following the below commands on your terminal. Note that the . is important to
indicate the path to the current directory.
$ cd /var/www/SQLInjection/
$ sudo chmod -R 777 .
In this task, you need to enable the prepared statement as a countermeasure against the SQL injection
attacks. Here is an example of how to write a prepared statement based on the SELECT statement in Task 1.
$sql = "SELECT id, name, eid, salary, birth, ssn,
phoneNumber, address, email,nickname,Password
FROM credential
WHERE name= ’$input_uname’ and Password=’$hashed_pwd’";
You can use the prepared statement to rewrite the above code that is vulnerable to SQL injection attacks:
$stmt = $conn->prepare("SELECT id, name, eid, salary, birth, ssn,
phoneNumber, address, email,nickname,Password
FROM credential
WHERE name= ? and Password= ?");
$stmt->bind_param("ss", $input_uname, $hashed_pwd);
$stmt->execute();
$stmt->bind_result($id, $name, $eid, $salary, $birth, $ssn,
$phoneNumber, $address, $email, $nickname, $pwd);
$stmt->fetch();
$stmt->close();
Practice Task: Following the above steps to fix the SQL injection vulnerability of UPDATE statement
on the Edit Profile page. Then, check whether you can still exploit the vulnerability or not.
Hint: the UPDATE statement is located in unsafe edit backend.php.
3.2 Task 1: SQL Injection via Stacked Queries [Max 25 Marks]
In this task, you need to perform SQL injection attacks to achieve different adversarial goals.
2
We have extended SQLi Lab to assist you completing this task. You need to download all PHP source
files of unsafe home.php, unsafe edit frontend.php, unsafe task load.php, unsafe view order.php,
and unsafe tasks view.php from Moodle and place them to the same website’s directory. For in-
stance, you can follow a below command to copy the file unsafe home.php located in /home/seed/Documents
to that website’s directory.
$ su root
Password: (enter root password "seedubuntu")
# cp /home/seed/Documents/unsafe_home.php /var/www/SQLInjection/
We also upgraded the database of SQLi Lab to enrich the website’s features. That are, a user can
add tasks, set task sort preference, and view all his/her declared tasks. Note that you need to download a
database script file, script.sql, from Moodle and execute it with MySQL Console before you can use
these new features. For instance, you can follow the below commands to execute that script when it is stored
in /home/seed/Documents. The execution will update your database scheme and insert new data as
follows:
mysql -u root -pseedubuntu
show databases;
use Users;
source /home/seed/Documents/script.sql
• Table tasks(TaskID,Name,Hours,Amount,Description,Owner,Type) stores the tasks
of users, in which tasks(Owner) is a foreign key referring to credential(ID). Hence, only
existing users in the table credential can create new tasks.
You can use the command describe tasks; to know more information about this table scheme.
• Table preference(PreferenceID,favourite,Owner) records the task sort preference of
users, in which preference(Owner) is a foreign key referring to credential(ID). Existing
users can select one of the task information as their sorting preference. For instance, a following figure
demonstrates how Alice can set her preference as Hours increasing. You can use the command
describe preference; to know more information about this table scheme.
• Function userIdMaxTasks() returns the ID of a user who has the maximum number of tasks in
your database. In MySQL console, you can use the command select userIdMaxTasks(); to
retrieve that result.
• Function generateRandomUser() adds a new random user (with random Name and Password
to the table credential). In MySQL console, you can use the command select generateRandomUser();
to perform this addition.
3
• Function getNewestUserId() returns the ID of a newly created user in the table credential.
• Stored procedure copyTasksToUser(in userID int(6) UNSIGNED) copies all tasks of
other users to the user having that userID. You need to make sure the user with that userID exists
in the table credential before using this stored procedure. For instance, in MySQL console,
you can use the command call copyTasksToUser(6); to copies all tasks of other users to an
existing user with userID=6.
Q1: In a normal scenario, a user can add a new task multiple times and update his/her view preference
with sorting by asc or desc. However, the website is vulnerable to the SQL injection attack when
the user views all tasks. You can choose one of the following options to complete this task. But
option 2 will allow you to obtain the full marks of this question. Note that, you will get 0 mark if
you complete the task by not performing SQL injection via the web application (i.e. manipulate
the database manually in MySQL console).
Option 1 (10 marks): You need to perform the attack to display all the tasks of the user who has the
maximum number of tasks when you view your tasks. Provide your video demonstration evidence to
support and verify that you have performed the attack and it worked successfully. Also, brief explain
how to achieve the attack goal with your solution. [Marking scheme: In your recording, 5 marks are
given if the attack is running successfully, 10 marks only given if you have a solid demonstration and
explanation about how you inject queries and the attack works in your case.]. You need embed your
video link in your report so that the teaching team can view and verify your work.
If you achieve the adversarial goal successfully, you will obtain the result like the following figure. Note
that, the second table in the figure displays the tasks of that victim.
Option 2 (15 marks): Two tasks:
1. Perform a sequence of the SQL injection attacks in order to transfer all the tasks of users to a new
malicious user that you created. Note that creating that malicious user also has to be done by using
the SQL injection attack. [10 Marks]
If you achieve the adversarial goal successfully, you will obtain the result like the following figure.
Note that, the second table in the figure displays the malicious user who has the maximum number of
tasks. The first table is blank due to no task remains for Ted user.
4
2. Find out the username of the malicious user, that you have created in the first step, and change its
password to your student ID. Show a successful login to the application. [5 Marks]
Provide your video demonstration evidence to support and verify that you have performed the attacks
and it worked successfully. Also, brief explain how to achieve the attack goal with your solution.. You
need embed your video link in your report so that the teaching team can view and verify your work.
Q2 (5 marks) This question is independent from your selected option in Q1. In this question, you need
to perform a SQL injection attack on SQLi Lab to attack the performance of your MySQL server.
[Marking scheme: In your recording, 3 marks are given if the attack is running successfully,
5 marks only given if you have a solid demonstration and explanation about how the attack
works in your case.]. You need embed your video link in your report so that the teaching team can
view and verify your work.
Hint: you can delay the query execution or shut down your MySQL server when a user views his/her
declared tasks.
Q3 (5 marks): Can the prepared statements, used in the warm-up task, mitigate a second order SQL
injection attack? Why or why not? You do not need to change the PHP source files for this question,
only theoratical explanation is required. [Marking scheme: 5 marks for the solid explanation
about why prepared statements can/cannot be used to mitigate second order attacks.]
4 Cross-Site Scripting (XSS) Attack – Using Elgg [25 Marks]
To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web application
named Elgg in our pre-built Ubuntu VM image. Elgg is a very popular open-source web application for
social network, and it has implemented a number of countermeasures to remedy the XSS threat. To demon-
strate how XSS attacks work, we have commented out these countermeasures in Elgg in our installation,
intentionally making Elgg vulnerable to XSS attacks. Without the countermeasures, users can post any
5
arbitrary message, including JavaScript programs, to the user profiles. You need to exploit this vulnerability
by posting some malicious messages to their profiles; users who view these profiles will become victims.
4.1 Task 1: Modifying the Victim’s Profile [10 Marks]
The objective of this task is to modify the victim’s profile when the victim visits Samy’s page. We will write
an XSS worm to complete the task.
1. Send a message from victim’s profile to Samy with victim’s browser cookie.
2. Add Samy as a friend in the victims profile.
We need to write a malicious JavaScript program that forges HTTP requests directly from the victim’s
browser, without the intervention of the attacker. To modify profile, we should first find out how a legitimate
user edits or modifies his/her profile in Elgg. More specifically, we need to figure out how the HTTP
POST/GET request is constructed to modify a user’s profile. We will use Firefox’s HTTP inspection tool.
Once we understand how the modify-profile HTTP POST/GET request looks like, we can write a JavaScript
program to send out the same HTTP request. We provide a skeleton JavaScript code that aids in completing
the task.
The provided code should be placed in the “About Me” field of Samy’s profile page. This field provides
two editing modes: Editor mode (default) and Text mode. The Editor mode adds extra HTML code to the
text typed into the field, while the Text mode does not. Since we do not want any extra code added to our
attacking code, the Text mode should be enabled before entering the above JavaScript code. This can be
done by clicking on “Edit HTML”, which can be found at the top right of the “About Me” text field.
Q1 (10 marks): Accomplish the above attack, and provide your screenshots in your report and the
corresponding explanation to support and verify that you have performed the attack and it worked
successfully. [Marking scheme: 2 marks for the screenshots in the report, and 8 marks for the
explanation and solutions in the report]
Hint: You may use HTTP inspection tool to see the HTTP request look like.
4.2 Task 2: Writing a Self-Propagating XSS Worm [15 Marks]
In this task, you need to create an advanced XSS worm that can propagate itself. Namely, whenever some
people view an infected profile, not only will their profiles be modified, the worm will also be propagated to
their profiles, further affecting others who view these newly infected profiles.
The malicious code uses DOM APIs to retrieve a copy of itself from the web page, and sends HTTP
POST/GET requests to modify the others profile. You should try to embed this code into the malicious
user’s (i.e. Samy) profile in order to accomplish the above attack.
6
Q2 (15 Marks): You need to fill the “About Me” field in Samy’s profile with the malicious code (see
the figure below), and use Alice’s account to access Samy’s page to see what happened. Then, try
to use Boby’s account to access Alice’s page. Provide a video to demonstrate your observation
with sufficient explanations. You need to upload your demo video to your Monash Google Drive
and embed its shared link to your report so that the teaching team can view and verify your works.
[Marking scheme: In your recording, 5 marks are given if the attack is running successfully, 10
marks are only given if you have a solid demonstration and explanation about how the attack
works]
Note: A partially filled code is provided for this task.
Acknowledgement
This assignment are based on the SEED project (Developing Instructional Laboratories for Computer SE-
curity EDucation) at the website http://www.cis.syr.edu/˜wedu/seed/index.html.
