DAASHW7 (4)

CS4389.001 Data and Application Security Assignment 7 This is from our syllabus: No e-mail submissions are accepted. No late submissions are accepted. Please plan accordingly and do not leave your submissions to the last minute. If you encounter a problem during eLearning submission, please contact 24/7 eLearning Help IMMEDIATELY. This help is available 24/7 at: eLearning Help URL: http://www.utdallas.edu/elearning/eLearningHelpdesk.html eLearning Help Phone: 1 866 588 3192 Any submission that is missed will be graded with a zero. Please do not insist for exceptions. Purpose: Demonstrate the ability to understand and implement authentication, the SQL injection attack, and analyzing and interpreting web based data transfer security. Question 1. (15 POINTS) A system allows the user to choose a password with a length of eight characters. Assume that 10,000 passwords can be tested per second. The system admin expires passwords once they have a probability of 0.10 of having been guessed. Determine the expected time to meet this probability under each of the following conditions. 1.A.) (5 POINTS) Password characters may be any ASCII characters from 1 to 127, inclusive. 1.B.) (5 POINTS) Pas sword characters may be any alphanumeric characters (“A” through “Z,” “a” through “z,” and “0” through “9”). 1.C.) (5 POINTS) Password characters must be digits. Question 2. (35 POINTS) In a web based transaction, you can give harm to client in many different ways. One of these ways is to use a proxy to trap transferred values from client to server and modify them on the way. In this exercise you will use the Paros web application security tool for this purpose to test your own web documents. Download and install the free Paros tool from one of the URLs below: https://sourceforge.net/projects/paros/ https://paros.soft112.com/ Please follow the installation steps carefully (e.g. you need to make sure that JDK/Java Run Time Environment (JRE) 1.4.2 -or above- is installed on your computer already). Paros works in interaction with your web browser. So, you need to set the proxy settings of your browser as well. The user’s guide for Paros at the same URL seem to have been removed. So, you may use the following links to get help with the Paros tool:

http://www.madirish.net/191 https://www.youtube.com/watch?v=Ytr0DmVE5Bo http://singhshardul.blogspot.com/2007/06/paros-proxy-step-by-step-guide.html A simple search on Internet should also retrieve supporting documents for this tool. Then, create test web documents with php scripts that uses: - Case 1: Simple get methods (e.g. getting username and password, demographic information of user, etc.). - Case 2: Simple post method. Note: The get and post methods have been introduced in class. You can also refer to the attached help for hw7.ppt document to see the sample code in which these two methods are used. If you have problems with running your php code, please collaborate with our TAs to get help. IMPORTANT NOTE: If you cannot execute the Paros tool, you may try OWASP ZAP 2.9.0, which is a fork of the Paros project. Using the Paros tool, analyze both case 1 and case 2 above and submit the following: 2.A.) (20 POINTS: 10 POINTS for get, 10 POINTS for post) Vulnerability report of your test web documents. How serious is the vulnerability of your code? High, medium, or else? Include this report in your homework report and comment on this. 2.B.) (15 POINTS: 7.5 POINTS for get, 7.5 POINTS for post) Use Trap response and Trap request functions of the Paros tool to capture the on the fly requests/responses and try modifying them. Take screen shots for this test and include in your homework report. Tips for the Paros tool: Following are possible issues and suggested solutions for the Paros tool: • 32bits JRE required, it can be download from: https://www.java.com/en/download/manual.jsp : • It works on IE, Firefox, Chrome, but in order to actually change the browser proxy setting, the browser needs to be opened as administrator. • IE and Firefox can run the html and corresponding php directly, but not Chrome • If run the html files directly, nothing will be caught by Paros since Paros only spy on http/https protocols • If put the files into utd personal webpage, Paros can catch get/post requests but php files will trigger a 500 error.

Using the WebGoat 5.2 tool (http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824) do the following: 3.A.) Perform numeric SQL injection attack. Explain in detail how you have performed this attack. Get a screen shot of your resulting screen and include in your submission (10 POINTS, If you use a hint then 5 POINTS) 3.B.) Perform string SQL injection attack. Explain in detail how you have performed this attack. Get a screen shot of your resulting screen and include in your submission (10 POINTS, If you use a hint then 5 POINTS) 3.C.) Perform Denial of Service from Multiple Logins attack. Explain in detail how you have performed this attack. Get a screen shot of your resulting screen and include in your submission (10 POINTS, If you use a hint then 5 POINTS) 3.D.) Perform 2 more attacks that you choose in WebGoat. State clearly what are the names of these two attacks. Explain in detail how you have performed each. Get a screen shot of each resulting screen and include in your submission (20 POINTS, If you use hints then 10 POINTS) IMPORTANT NOTE: We are using these tools ONLY for educative purposes. DO NOT use WebGoat and Webscarab tools for other purposes that you will be responsible for. What to Submit: If you are turning in a single file , then name your file as: CS4389-Assignment<number>-<FirstName><LastName>.extension So, student John Smith will name his 1 st assignment doc file as: CS4389-Assignment1-JohnSmith.doc If you are turning in multiple files , please create a ZIP file of all your files and use the following naming convention for your ZIP file: CS4389-Assignment<number>-<FirstName><LastName>.zip. So, student John Smith will name his 1 st assignment zip file as: CS4389-Assignment1-JohnSmith.zip Good luck.