程序代写案例-INFO2222-Assignment 2
INFO2222 Assignment 2
Due: Friday of Week 10, 11:59pm
This assignment is worth 5% of your final assessment
It’s an often repeated maxim that systems should be designed with security as the focus, not something
to be slapped on after the fact. Unfortunately, as with most other good advice, the demands of getting
a system working often outweigh the demands on ensuring that it is secure.
In this assignment you will be building on your website from assignment 1. If your website has not
been completed, you will be required to finish it.
Task description
There are two components to this assignment, a core section and a list of options. You will be required
to implement all the components from the core section, along with two of the optional components.
As a team you should pick and implement two of the options listed below, and you should provide
complete and thorough documentation of your site and what security features you have implemented.
Your options are:
• Confidentiality - HTTPS support
• Integrity - Web Application Firewall
• Availability - WSGI + Web Server deployment
• Auditability - API + Database
1
INFO2222 Blue Team
Core Components
You are required to complete both of these core components.
Deploying the Site [2 Marks]
Real websites are deployed on dedicated servers.
To complete this component, you will be provided with a server and ssh access and will need to
deploy your site to the server.
You will be marked both for getting your site functioning on this server, and how you have configured
the server. Consider how git keys and ssh keys should be stored, and how groups and users should be
set up.
It’s worth noting that the servers may be rebooted periodically, you will want some method of ensuring
that your web application restarts when the server restarts. You may find systemctl, or init scripts
useful for this.
• 1 mark for a successful deployment
• 0.5 marks for an appropriate use of users and groups
• 0.5 marks for a successful startup script
In assignment three the availability of your site will be assessed. Bottle by itself is not particularly
efficient, and you may find the cherrypy python package useful in quickly improving the stability of
your site.
Virtual Users [2 Marks]
Bots are prevalent on the Internet, from crawling and data-mining to automated up-voting and sharing,
the actions of an anonymous virtual user can be nearly indistinguishable from that of a real person.
These virtual users are also useful debugging tools, and when run can swiftly ferret out any broken
links or functionality.
You will be required to write a number of virtual actors for your site. They should span all regular user,
and administrator roles and should perform a number of actions that you would consider standard for
the site such as logging in, trawling the site sending messages, and banning and unbanning each other.
You will need to write a separate Python class (in its own file) that when run, selects a virtual user
at random and navigates them through the site, performing tasks that a regular user would (filling in
forms, viewing pages etc). The actions of your virtual users should span all possible routes for your
site. You may find it useful to re-purpose your think alouds as the paths that your virtual users take
through your site.
Your virtual users should make use of a headless browser to ensure that Javascript and AJAX
can be correctly loaded.
Template code will be provided. You may find that the requests and selenium packages are
helpful in completing this section.
Page 2 of 7
INFO2222 Blue Team
• 1 mark for successfully setting up your bots and demonstrating at least one think aloud
• 1 mark for completing all other tasks on your site
Options
Each option is worth 2 marks. You are required to complete two options but may complete as many
as you wish. Completing further options will not award additional marks.
Confidentiality - HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol
(HTTP). It is used for secure communication and encrypts data between the
If you select this option, you will be required to obtain a and configure your site to use a SSL certificate
obtained from some certificate authority (Let’s Encrypt provides these for free). You should attempt
to explain your choice of SSL settings in your report.
• 1 mark for ensuring HTTPS for all routes
• 1 mark for explaining your choice of configuration options
Integrity - Web Application Firewall A (WAF)
Many modern websites have a parser (such as Naxsi for Nginx) that checks incoming requests for
malicious strings and sanitises them. This attempts to clear strings of potential SQL injections, XSS
attacks and other nefarious schemes.
If you pick this option you will be required to build your own parser that checks incoming requests to
your site and cleans them of any nefarious contents. The parser should operate as a separate Python
class in its own file, and should detect and report malicious strings to the site’s Administrators. The
WAF should handle attacks gracefully; failing a check might sanitise the user’s input, redirect to an
error page or otherwise inform the user of the error without impacting on the availability of the site.
This web application firewall should be hosted on a separate port to your web application (so that
multiple web applications could make calls to the same WAF). The application should be written such
that the target port and address are a not hard coded, and are preferably loaded from a configuration
file when the server is started.
Template code will be provided.
• 0.5 marks for separation of the WAF from the application
• 0.5 marks for explaining in the report for explaining your WAF rules
• 1 mark for the implementation and demonstration of the WAF
Page 3 of 7
INFO2222 Blue Team
Integrity - Web Application Firewall B (WAF)
Often attackers may begin by scanning and scraping a target website. With this option you are to
develop a WAF that detects and rejects scrapers and automated scripts. You should consider curl,
wget python requests, selenium and other common approaches to automating the scanning
and scraping of a website.
This web application firewall should be hosted on a separate port to your web application (so that
multiple web applications could make calls to the same WAF). The application should be written such
that the target port and address are a not hard coded, and are preferably loaded from a configuration
file when the server is started.
You will need to find a method of authenticating your own virtual users if you select this option;
without proper authentication your virtual users should be blocked by this WAF.
Template code will not be provided.
• 0.5 marks for separation of the WAF from the application
• 0.5 marks for explaining in the report for explaining your WAF rules
• 1 mark for the implementation and demonstration of the WAF
Availability - WSGI + Web Server Deployment
You may have noticed that the bottle framework is not particularly fast, and that under a reasonably
small load availability may start to suffer. This option involves hosting your application using a more
powerful web server to ensure faster response times and better availability.
uWSGI and nginx are likely to be useful tools for completing this task, completing this option may
also change how your web application is launched at startup. These are incredibly useful tools with
thousands of options, you are not required to have a perfect setup, merely a working one.
This option may be difficult if you are uncomfortable with the Linux command line.
• 1 mark for a working nginx setup
• 1 mark for a working uWSGI setup
API + Database
It is common practice to divide a website into a series of different processes. One of the most coarse
grained approaches to this is to have a separate API that provides the appropriate data while the front
end serves page requests. If you pick this option you will be required to write a separate Python server
that hosts the required API endpoints.
As a secondary part of this option, you will need to further segregate your database from your main
application. Your database should exist as a third, separate application on its own port. Your web
application itself should only ever get data by requesting it from the API, it should not communicate
with the database itself.
Page 4 of 7
INFO2222 Blue Team
Your API and database should be communicated with using an appropriate Python networking mod-
ule. Your database does not require SQL (but you may use it), it can simply contain all the Python
objects that contain the data you require for this site and can be backed up to a text document. You
may chose to use a pre-existing SQL or NoSQL database.
Lastly, all API calls should be logged somewhere on your server for the purposes of auditing.
Your web server and API applications should be written such that the target port and address are a
single variable that can be easily modified. please do not hard code them into every request. You may
find that your MVC structure naturally lends itself to this sort of division, as a result, no template
code will be provided for this option. Instead consider splitting your model and database components
across multiple bottle servers
• 1 mark for separation of the API
• 0.5 marks for separation of the database
• 0.5 marks for the API log
Documentation
Your application should come with 1000-2500 words of documentation dictating how the site works
and what security decisions have been made. In particular it should discuss what data is collected and
stored, how it can be accessed and viewed. It is suggested that you include relevant sections of code,
and diagrams where appropriate. For example, if you store data in cookies, you should state what data
is stored and how it is stored, or if you communicate with another python server as part of an option
for assignment 2, you should state how this communication is handled.
The documentation should not disclose any administrative or other passwords or keys that are
used in your site, but should otherwise describe in detail what the security goals of the site are, and
how they have been achieved.
Additional Criteria
The following are some additional criteria that will be required of your web application.
• Your site should not make external calls to on-line APIs, CDNs or other repositories as it needs
to be able to run in an isolated environment. External requests will result in the loss of marks.
• DO NOT TAMPER WITH THE STAFF ACCOUNTS ON YOUR SERVERS, these are the
‘ec2-user’ account and the ‘marker’ account. These accounts will be used for marking, if staff
cannot access them, they cannot mark your website and you will receive a 0 for this assessment.
• Broken functionality may result in a marks deduction; if your usability project submission was
not feature complete then you should finish your implementation before the end of this project.
Marks will be deduced based on the severity of the unfinished features.
• If your site is not in working order and hosted on your virtual machine by the due date then you
will be awarded a mark of zero for this assessment.
Page 5 of 7
INFO2222 Blue Team
Marking
You will receive a mark out of 10 for this assignment. The security of your implementation of your
web application will not be assessed in this assignment, but will be assessed in Assignment 3.
• A mark out of 4 for the core functionality. Each component will be marked out of 2. A mark
of 0-1 indicates that the work does not meet the requirements outlined above, it is missing key
features or requirements and would be difficult to deploy. A mark of 1-1.5 meets most the
requirements but may not be complete in every case. A mark of 1.5-2 indicates that the work
meets all of the requirements.
• A mark out of 4 for your options, each option will be marked out of 2. A mark of 0-1 indicates
that the work does not meet the requirements outlined above, it is missing key features or
requirements and would be difficult to deploy. A mark of 1-1.5 meets most the requirements
but may not be complete in every case. A mark of 1.5-2 indicates that the work meets all of the
requirements.
• A mark out of 2 for the quality of the documentation. A mark of 0-0.5 indicates that the
document is sparse and incomplete. A mark of 0.5-1 indicates that the documentation is missing
large section of required details and a reader would not be able to understand the architecture
of the site from this document. A mark of 1-1.5 indicates that the document contains all of
the key details required and is presented in a readable fashion. A mark of 1.5-2 indicates that
the contents of the document are clear, and well explained and include appropriate snippets of
python code and diagrams.
• Up to five marks may be penalised for non-completion of the functionality of the website from
assignment one. Wire frames are not sufficient. Your site should support registration, logging
in, messaging, posting and account administration, user administration should allow the chang-
ing of account details, while administrators should be able to restrict, promote or delete other
users.
Submission Details
The following details should be read carefully regarding the submission of this assignment
Group Assessment
As with your usability project you will be required to complete a group assessment form using spark-
plus. The marks awarded for this assessment will be proportional to the contributions of each group
member.
Page 6 of 7
INFO2222 Blue Team
Code Submission
Your report should include a link to your last git commit before the submission deadline.
The code that you have on your site will be assessed. READMEs, code commenting and other forms
of documentation will be looked upon favourably. Spaghetti code, missing documentation, tabs rather
than spaces, and a lack of compliance with PEP8 standards will be looked upon unfavourably. Code
is more often read than written; code that cannot be understood will be assumed to be non-functional.
Report Submission
You will be required to submit your report on Canvas in a pdf format. Latex is encouraged (and is a
useful skill to learn).
If you have any questions, or are unsure about the submission process or any aspects of this
assignment, please ask sooner rather than later!
Academic declaration
By submitting this assignment you declare the following:
I declare that I have read and understood the University of Sydney Student Plagiarism: Coursework Policy and Procedure, and except where specifically
acknowledged, the work contained in this assignment/project is my own work, and has not been copied from other sources or been previously submitted
for award or assessment.
I understand that failure to comply with the Student Plagiarism: Coursework Policy and Procedure can lead to severe penalties as outlined under
Chapter 8 of the University of Sydney By-Law 1999 (as amended). These penalties may be imposed in cases where any significant portion of my
submitted work has been copied without proper acknowledgment from other sources, including published works, the Internet, existing programs, the
work of other students, or work previously submitted for other awards or assessments.
I realise that I may be asked to identify those portions of the work contributed by me and required to demonstrate my knowledge of the relevant material
by answering oral questions or by undertaking supplementary work, either written or in the laboratory, in order to arrive at the final assessment mark.
I acknowledge that the School of Computer Science, in assessing this assignment, may reproduce it entirely, may provide a copy to another member of
faculty, and/or communicate a copy of this assignment to a plagiarism checking service or in-house computer program, and that a copy of the assignment
may be maintained by the service or the School of Computer Science for the purpose of future plagiarism checking.
Page 7 of 7

欢迎咨询51作业君
51作业君 51作业君

Email:51zuoyejun

@gmail.com

添加客服微信: ITCSdaixie