My Name is Prasannaa Martha Thuraisingham Student ID: XXXXXXXXXX SIT382 System Security Assignment 2 Trimester 2/2016 Objectives: - To apply skills and knowledge acquired throughout the semester in...

My Name is Prasannaa Martha Thuraisingham Student ID: 215205921
SIT382 System Security Assignment 2 Trimester 2/2016
Objectives:
- To apply skills and knowledge acquired throughout the semester in exploiting web application security loopholes and the techniques to fix such loopholes. - To demonstrate ability to use WebGoat and other attack tools (available in BackTrack) to test security exploits on web applications and victim OS. - To gain experience in understanding a given set of specifications (this document) - To gain experience in documenting every application exploit that was tested.
Due Date: 5pm, Friday, September 30, 2016.
Delays caused by computer downtime cannot be accepted as a valid reason for late submission without penalty. Students must plan their work to allow for both scheduled and unscheduled downtime.
Submission Details:
You must submit an electronic copy of all your assignment solution either in Portable Document Format (.pdf) or Microsoft Word (.doc/.docx) via CloudDeakin. You can also submit your work as a compression file (.zip/.zipx/.rar).
It is the student's responsibility to ensure that they understand the submission instructions. If you have ANY difficulties ask the Tutor for assistance (prior to the submission date).
Copying and Plagiarism:
This is an individual assignment. You are not permitted to work as a part of a group when writing this assignment.
Plagiarism is the use of other people's words, ideas, research findings or information without acknowledgement, that is, without indicating the source. Plagiarism is regarded as a very serious offence in Western academic institutions and Deakin University has procedures and penalties to deal with instances of plagiarism.
In order not to plagiarise, all material from all sources must be correctly referenced. It is necessary to reference direct quotes, paraphrases and summaries of sources, statistics, diagrams, images, experiment results and laboratory data – anything taken from sources.
When plagiarism is detected, penalties are strictly imposed. The University’s policy on plagiarism can be viewed, online, at http://www.deakin.edu.au/students/study- support/referencing/plagiarism.
Page 2 of 5
Problem Statement
You are required to perform security exploits specified in this document using the WebGoat J2EE web application package as well as BackTrack GNU/Linux distribution. You can download WebGoat and any appropriate tools from the SIT382 CloudDeakin course website to complete this assignment. The link to download BackTrack is http://www.backtrack-linux.org/downloads/. You can also use other non-commercial (free and open-source) tools (e.g. Wireshark) to help you complete this assignment. You are not to use any commercial security-related or hacking products for this assignment.
There are two parts to this assignment. Part A will require you to use more than one exploit to attack a web application and different techniques to defend against such attacks, while part B is to test your understanding of a particular exploit and how to counter that exploit.
You are required to answer the questions by implementing the solutions. These implementations need to be documented in detail. The document must have step-by- step details on what you did to solve the question, including any script code used to answer the requirements. The length of the document should be approximately 2500 words (exclude the references). You are also required to provide images (screen dumps) to show the key steps leading to your solution. These images can be taken using print- screen or any other screen capture method. These images must be embedded in the document with appropriate labelling and descriptions.
The document format is flexible, but it must be neatly organised. You should clearly indicate what part and question you are attempting to complete. You should also clearly indicate the stage your solution is used for.
This document will be graded for your assignment marks. This assignment will be 30% of your final mark. You are required to submit this document using CloudDeakin in either MS Word format (.doc and .docx) or Portable Document Format (.pdf) or compression formats (.zip, .rar, etc.). These files must not be password protected.
NOTE: Failure to meet any of these requirements will result in loss of marks. Omission of script codes or images showing the key steps leading to the completion of the given tasks will result in severe loss of marks.
Part A (50%)
Part A provides 50% of the assignment marks. This question is compulsory. You are required to complete the WebGoat Challenge question. The tasks to be completed are provided in WebGoat. You need to click on the Challenge menu item and complete the THREE (3) stages in this challenge. This part of the assignment requires you to know different application penetration testing techniques to complete successfully. It is highly recommended that you reinstall WebGoat before you begin to test the challenge.
Page 3 of 5
An important note to remember is that you are attacking the WebGoat web server from a client (web browser). This means that the attacker does not have any write access to the server, thus you will not be able to modify the java source files to complete the Challenge questions. Any modification of the WebGoat source code to complete the Challenge questions will result in loss of marks.
In part A, you are required to include the following:
? Description of the scenarios in each stage compared them to the real-world cases. ? Theoretical description of the possible methods to do attacks. You may list the possible methods that you may use to test the problems posed by the question of each stage? ? Brief explanation on the method used (a couple of paragraphs) followed by details on how you used that method to test the problem. What are the results of those methods that you actually tested the problems posed by the question of each stage? (Analyse either successful or unsuccessful methods) ? Any script code and images (screen dumps) showing the successful completion of the tasks in this part of the assignment.
Part B (50%)
Part B provides 50% of the assignment marks. This question is compulsory. You need to select and choose ONE (1) of the many tools available in BackTrack, including tools which we have not covered but you may find interesting. For example, we only cover a few tools in the SET framework, but you may experiment with those even further. There is a variety of support documents available online, and a detailed Wiki about BackTrack.
Once chosen, you will provide a complete run through the activity, you will provide screenshots of how the attack was run and also an evaluation of the data collected from the victim machine, such as the traffic data from the Wireshark.
In part B, you are required to include the following:
? A theoretical description of the attack. If for example you decide to run a spear phishing attack, you will need to provide around 300-500 words describing the attack in details. ? A complete, beginning to end, tutorial like presentation of the attack, without omitting any variables, including screen shots, this could look like a manual or a journal. ? An evaluation of the data if collected from Wireshark, in any given case, you will be able to find some pattern, like a redirection or uncommon data between clients in social network attacks, or the effect of a spoofing mechanism, you should describe in a fairly simplistic way, what has happened. ? Provide a short evaluation and considerations of the attack, this can and should also include defence mechanisms which can be used to defend from such an attack. Please note, this should be done thoroughly and present various mechanisms and description of which you consider to be better and why. For example, for a DoS attack where the attacker has spoofed the IP address, there
Page 4 of 5
are a number of mechanisms to trace back the attacker, you should include most of them.
Additional Requirements and Notes
1. The Faculty electronic plagiarism declaration must be included in a separate file (see plagiarism information on CloudDeakin). 2. Your report must contain the following information. o Your name and student ID number o Which assignment question you attempted. o A detailed explanation on how you arrive at the solution, including embedded images and any scripting code to show the completeness of your solution. 3. Any text or code adapted from any source must be clearly labelled and referenced. You should clearly indicate the start and end of any such text/code. 4. All assignments must be submitted through CloudDeakin. Assignments will not be accepted through any other manner without prior approval. Students should note that this means that email and paper based submissions will ordinarily be rejected. 5. Submissions received after the due date are penalised at a rate of 10% (out of the full mark) per day, no exceptions. Late submission after 3 days would be penalised at a rate of 100% out of the full mark. Close of submissions on the due date and each day thereafter for penalties will occur at 05:00 pm Australian Eastern Time (UTC +10 hours). Students outside of Victoria should note that the normal time zone in Victoria is UTC+10 hours. 6. No extension will be granted. 7. Assignments are normally marked and returned within two weeks of the due date. Assignments that are submitted after the due date will normally take longer to mark and return.
Page 5 of 5