For the retake exam, you have the possibility to improve the homework you did for the summer term. So the subject is the same, you must protect the server for the "Marks" of a university. You should use the credentials I gave you durring the course (i.e. durring the summer semester). If you lost the credentials, contact me per email, I will send you some new ones.
Principles
The goal of this exercise is to protect as much as possible a web site for entering the marks for the examination office. You will have to install the software on a real web server.
This homework has to been done in groups of two students. If the class is composed of an odd number of students, one will work alone.
You will first download the application and its corresponding database. You receive the credentials for installing the software on a host on-line. You install the software on-line on the real server. Be carefull, this server is realy on-line and the protection need to be real otherwize it may compromize my entire system.
The "University Marks Manager" application
You will download the source code for a web site. The web site is used for managing the marks of one department of a university.
The web site offers the following features.
Login of a user (student / professor / secretary)
A student can do:
View his/her marks in the current courses
Send a message to the students of a course
Read his/her messages
Delete messages
A professor can do:
See the lists of all the students he/she coaches (each student has a coach).
Read the marks of each of those students
Send a message to one student
See the list of all the courses he/she teaches
Give the marks of one course
Send a message to all the students in a course
Read his/her messages
Delete messages
A secretary can do the same, but for all the students and all the courses.
The web site suffers at least the following vulnerabilities:
SQL injection
XSS
CSRF
View messages unallowed
Send a message as if it would come from someone else (not using the stolen passwords)
... (the security isn't very high)
You will use all the recommendations we have seen in the course to protect the web site.
You will receive the credentials during the course. If you were not present during the course, form a group of two students and ask for an account (per mail).
You receive credentials to install your version of this software on a live server. You have to configure your installation, such that it is working and is nevertheless protected against attacks.
You will receive the credentials for your web site on a paper. Each group receives its own access. For your ftp connexion, you can use the following clients:
Filezilla (for Windows)
Core FTP (for Windows)
Cyberduck (for mac)
The server we use does not support secure ftp, so you have to select ftp (instead of sftp) and port 21 (instead of port 22).
Report
You will have to write a small report.
You write a document presenting all the modifications you did in the code. The report should be small (arround 5 pages) and present each vulnerability very succinctly, together with a solution. You can also mention the vulnerabilities that you discovered and that you could not solve. In this case, you should describe the solution you should have implemented.
This report is a real report. So it should be written in english, should contain an introduction and a conclusion.
Schedule
Deadline: 26th of March 2013. You send me your report as a PDF file and a link to your web site.
The report can be written in English, German (or French ;-)).
This work should be done in groups of two students. If the class contains an odd number of students, one student will work alone.
Attention!
The server for our tests is a public server. You are also not allowed to attack something else than the server you protect. This means, it is strictly forbidden to interfere with the accounts of other users, or with the web sites that other groups have to protect! The team that will break these ethical rules will receive an insufficient mark (even if they are very good hackers). Security testing requires a great sens of ethic!Copyright Emmanuel Benoist 2008-2013