FIT2093代写、代写SQL编程设计

日期：2023-06-09 08:56

FIT2093 Introduction to Cybersecurity - 2023

Assignment 3: Web hacking Challenge

Purpose Your goal is to do security testing of a mini web application to identify web

application vulnerabilities in it, using the techniques covered in our Web and

database security lectures. Then, the goal is to demonstrate how to exploit the

vulnerabilities discovered to break the app’s security.

Your task This assignment is an individual assessment. Apply your penetration testing

techniques in assessing web application and SQL vulnerabilities.

Value 10% of your total marks for the unit

Page / Time

Limit

ONE Individual video: Presentation up to 10 minutes

Note: mark deductions will apply for presentations over the 10 minutes limit

Due Date 9 June 2023 11:55 pm Melbourne time

Submission Individual video as a mp4 for Part A-D via Moodle assignment submission

Individual video slides as a ppt via Moodle assignment submission

Assessment

Criteria

Please see the assessment criteria as given in sections below.

Late Penalties ● 10% deduction per calendar day or part thereof for up to one week

● Submissions more than 7 calendar days after the due date will receive a

mark of zero (0) and no assessment feedback will be provided.

Feedback Feedback will be provided on student work via:

● general cohort performance

● specific student feedback ten working days post submission

1

Overview of the assignment

The assignment is worth 10% of your total unit mark.

In Part A of the assignment (weight: 2.5% of your unit mark), you will demonstrate your understanding

of XSS security vulnerabilities by testing the web application such vulnerabilities and assessing

whether any vulnerabilities you find can potentially be exploited by an attacker.

In Part B of the assignment (weight: 2% of your unit mark), you will demonstrate your understanding

of client-side penetration testing techniques to attempt to bypass the web application’s mechanism for

enforcing access control to private documents to authorised users.

Part C of the assignment (weight 2.5% of your unit mark) requires you to demonstrate your skills in

testing for SQL injection vulnerabilities in a part of the web application that makes queries to an SQL

database, and exploit any vulnerabilities you discover to breach gain unauthorised access to the

database.

Part D of the assignment (weight 2% of your unit mark) requires you to explain the relation of parts

A-C to individual privacy and ethics.

You will prepare and submit an individual 10 minute video presenting your tests, results and

explanations for tasks A-D. Your video presentation slides (in powerpoint format) should also be

submitted.

The clarity of your video and slides presentation will count towards 1% of your total mark for the

assignment. Please ensure your voice during the video presentation is clearly audible.

2

Assessment Details

Task Rubric

Part A 2.5%

■ Task A.1 (1.0%): list of potential XSS vulnerability points (0.6%)

and (0.4%)

■ Task A.2 (1.5%): for testing techniques (0.3%), tests results

(0.6%) and explanation for each result (0.3%), vulnerability

(0.15%) and mitigation (0.15%)

Part B 2%

■ Task B.1 (2%): testing(s) techniques (0.5%) and interpretation

(0.5%), exploit/vulnerabilities’ explanation (1%)

Part C 2.5%

■ Task C.1 (2%): for list of users testing (0.5%), results and

interpretation, for table and fields testing results and

interpretation) (1.5%)

■ Task C.2 (0.5%): for modifying a non phone no. field testing,

results and interpretation (0.5%)

Part D 2%

■ Privacy implications discussion (1%)

■ Ethics implications discussion (1%)

Presentation 1%

■ Clarity of presentation

3

Assignment Details

You can download the Asg3 VM .ova file from the link on the Moodle Assessments page (for Windows

or Mac devices with Intel CPUs) or the Asg3 VM Zip file (for Mac devices with M1/M2 CPU; follow the

“Asg3 VM Install Instructions - Mac M1/M2 Devices” to install the VM).

Once you run the VM, log in with the following credentials:

VM login name: student

VM password: student

Your task is to perform the following security tests on this web application. You should perform these

tests using the Firefox or burpsuite built-in web browser installed in your Ubuntu lab VM, and the

burpsuite tool installed in this VM.

Visit the homepage for the web application at the URL (http://attackme.com/index.php) using your web

browser. If all is well, the browser should display a page that looks as in Fig. 1. (note: you can also use

the URL http://localhost/index.php)

Fig.1 Login Page

Part A: Member’s Welcome Page Security Test (2.5 marks)

This web app allows members of Society AttackMe to access their personal documents.

In this part, your aim is to do security testing of the committee member part of the web application,

from the point of view of an outsider (non-member) attacker trying to reveal the secret committee

information. To help you with this, you are given the login credentials of one of the registered

committee members (however, note that an outsider attacker will not know these credentials):

4

Username: Alice

Password: alice

City: Sydney

After clicking the “submit” button with the above credentials, the browser should display a welcome

page, as shown in Fig. 2.

Fig. 2. Welcome page

Then, after entering the report date (Date: 2 May 2022) into the and clicking the “submit” button, you

should see the secret report of observation as shown in Fig. 3.

Fig. 3. Secret report of observation.

5

Complete the following tasks:

● Task A.1 (1 mark) Based on the application behavior for the given login and welcome pages

above:

o List potential points on the home and greeting pages where a reflected XSS input

injection vulnerability might exist

o Explain your reason(s) on why they are the potential XSS vulnerability points.

● Task A.2 (1.5 mark) Experiment with the home page login and welcome member, and

examine the behavior of these pages to different inputs. In particular:

o For each of the potential XSS vulnerability points listed in Task A.1, perform tests to

see if XSS vulnerabilities actually exist at these points.

o Explain

your tests,

your test results,

your interpretation/conclusions on why or why not such XSS vulnerabilities exist

at each point, and

for the points where XSS vulnerabilities exist, explain whether you think those

vulnerabilities can be exploited by an outsider attacker to steal secret

information (note: you don’t need to actually carry out an exploit) and how to

mitigate it.

Part B: Personal Information Security Test

In this part, your aim is to do security testing of the organization members’ personal information part of

the web app. For this, you are given one of the organization members’ name and password, namely:

Member Name: Bob

Member ID Number: 1

Member password: Ro4mvSemq45xfepvaEr24

Use Bob’s member ID number and Member password to log in to the Personal Private Information

login page shown in Fig. 4.

6

Fig. 4. Personal Private Information login page.

Complete the following tasks:

Task B.1 (2 marks)

Bob has two private documents stored in his account with document IDs 1 and 2. Your goal in this task

is to test the application against attacks by Bob (Member ID: 1) who is curious to learn about another

member Charlie’s (Member ID: 2) private information.

o Can Bob gain unauthorised access to Charlie’s personal private data?

If you think it is possible, explain the vulnerability you found and how Bob can

exploit it, and show any private data of Charlie you managed to expose by the

attack.

If you think it is not possible, explain why.

In any case, explain the tests you did, the results, and your interpretation of

them.

Hints: experiment with the personal private information part of the web app to see how it

behaves with different inputs from Bob. Use the burpsuite tool (see week 10 lab) to help with

your experiments and try out potential attacks.

7

Part C: Attack on the database (2.5 marks)

In this part, your aim is to test for potential database SQL injection vulnerabilities in the committee’s

personal profile page. To do so, click the “here” link at the bottom of the “Welcome” page (see Fig. 5)

after logging in as the user Alice as explained in Task A.

Fig. 5. Member welcome page with link to personal profile at bottom.

Alice’s personal profile search page should appear as in Fig.6.

Fig. 6. Member personal profile search page.

When you type in a username in the textbox under “Please enter a username:” in the search page, the

personal details of the member user (title, salary and phone no.) will be shown in the website.

8

For example, if you submit the form with username = “Alice”, the information will be as shown in Fig. 7.

Fig. 7. Search results for username “Alice”.

Complete the following tasks:

Task C.1 (2 marks)

In this task, you should test for SQL injection vulnerabilities via user input of the query to achieve the

following tasks. You should include your injection inputs and the screen captures of results in your

presentation.

a) Attempt to list all the users in the database containing user information. (0.5 marks)

b) Attempt to determine the name of the database containing the user information and the

corresponding fields (columns) in that table. (1.5 marks)

Task C.2 (0.5 mark)

In the bottom half of the member personal profile search page (see Fig. 6), user Alice can update her

phone no. by entering a new phone no. Your task is to:

a) Attempt to make use of the fields found in Task C.1 to test for and exploit an SQL injection

vulnerability in the phone update textbox to update some information other than phone no.

b) Include your SQL injection statement and screen captures before and after the changes by

using a member profile search page query, and explain your interpretation of the test results.

9

Part D: Privacy and Ethics (2 marks)

Complete the following tasks:

○ Privacy: discuss how the above vulnerabilities and/or attacks affects individual privacy, or give

your reasons why privacy is not an issue

○ Ethics: discuss how of each of Part A to C relates to ethical issues, or give reasons why ethics

is not relevant

10

Submission

You must submit, via the link on the Moodle Assessments page:

● an individual 10-min video, and

● the video presentation slides (in powerpoint format) used in your video presentation.

Your video presentation should present your answers to the tasks completed in Parts A-D above,

including your test results, relevant screen captures/demonstrations and exploits.

The clarity of your video and slides presentation will count towards 1% of your total mark for the

assignment. Please ensure your voice during the video presentation is clearly audible.

Appendices

WARNING (Academic integrity): It is an academic requirement that your submitted work be original.

Zero marks will be awarded for the whole submission if there is any evidence of plagiarism or contract

cheating (i.e. paying another person to complete the assessment task). It is fine to use code or other

material from various sources in your report. However, any material that you obtain from some source

(e.g. website, book, paper, article) must be cited in the appropriate place in your report and listed in

the references section of your report. Please also note that students must work on this assignment

individually, and significant similarities between assignments will be investigated for evidence of

plagiarism.

REMARK (Guidelines on Use of AI tools in the Assignment): ChatGPT or other AI tools may be

used for study purposes, to learn about your tasks, and to develop your assignment. However, similar

to citation requirements for other references (see “Academic Integrity” statement above), you must

include a clear declaration of all generative AI tools used (e.g. ChatGPT, DALL-E, Grammarly,

voice-to-text), how and where you have used them. In particular, you should be aware that output of

AI tools may not be factually correct and you should therefore critically evaluate the output generated

by such tools for claim accuracy and appropriateness to the tasks, using reliable sources, before

incorporating such output in your assignment (e.g. an example declaration may be: ‘ChatGPT was

used to generate an initial structure, then I edit this to correct factual inaccuracies, add citations to

support claims’).

11

Where to get help

What can you get help for?

English language skills

if you don’t feel confident with your English.

● Talk to English Connect: https://www.monash.edu/english-connect

Study skills

If you feel like you just don’t have enough time to do everything you need to, maybe you just need a

new approach

● Talk to an academic skills advisor: https://www.monash.edu/learnhq/consultations

Things are just really scary right now

Everyone needs to talk to someone at some point in their life, no judgement here.

● Talk to a counsellor: https://www.monash.edu/health/counselling/appointments

(friendly, approachable, confidential, free)

Things in the unit don’t make sense

Even if you’re not quite sure what to ask about, if you’re not sure you won’t be alone, it’s always better

to ask.

● Ask in the forums or email your tutor:

Teaching team: https://lms.monash.edu/course/view.php?id=155649§ion=1

Consultation: https://lms.monash.edu/mod/resource/view.php?id=11630825

I don’t know what I need

Everyone at Monash University is here to help you. If things are tough now they won’t magically get

better by themselves. Even if you don’t exactly know, come and talk with us and we’ll figure it out. We

can either help you ourselves or at least point you in the right direction.

Change log

All changes to the assignment will be listed here with the time of the change (in Melbourne time):