[ Home ] [ Slides ] [ Examples ] [ Exercises ] [ Resources ]

Homework for the retake exam: Protect a web site

For the retake exam, you have the possibility to improve the homework you did for the summer term. So the subject is the same, you must protect the server for the "Marks" of a university.
You should use the credentials I gave you durring the course (i.e. durring the summer semester). If you lost the credentials, contact me per email, I will send you some new ones.


The goal of this exercise is to protect as much as possible a web site for entering the marks for the examination office. You will have to install the software on a real web server.
This homework has to been done in groups of two students. If the class is composed of an odd number of students, one will work alone.
You will first download the application and its corresponding database. You receive the credentials for installing the software on a host on-line. You install the software on-line on the real server. Be carefull, this server is realy on-line and the protection need to be real otherwize it may compromize my entire system.

The "University Marks Manager" application

You will download the source code for a web site. The web site is used for managing the marks of one department of a university.
The web site offers the following features. A student can do: A professor can do: A secretary can do the same, but for all the students and all the courses.
The web site suffers at least the following vulnerabilities: You will use all the recommendations we have seen in the course to protect the web site.


Source for the project: You will receive the credentials during the course. If you were not present during the course, form a group of two students and ask for an account (per mail).
You receive credentials to install your version of this software on a live server. You have to configure your installation, such that it is working and is nevertheless protected against attacks. You will receive the credentials for your web site on a paper. Each group receives its own access. For your ftp connexion, you can use the following clients:
The server we use does not support secure ftp, so you have to select ftp (instead of sftp) and port 21 (instead of port 22).


You will have to write a small report.


The report can be written in English, German (or French ;-)). This work should be done in groups of two students. If the class contains an odd number of students, one student will work alone.


The server for our tests is a public server. You are also not allowed to attack something else than the server you protect. This means, it is strictly forbidden to interfere with the accounts of other users, or with the web sites that other groups have to protect! The team that will break these ethical rules will receive an insufficient mark (even if they are very good hackers). Security testing requires a great sens of ethic!
Copyright Emmanuel Benoist 2008-2013