代写辅导接单-FIT1093/FIT2093

欢迎使用51辅导,51作业君孵化低价透明的学长辅导平台,服务保持优质,平均费用压低50%以上! 51fudao.top

MonashUniversity–FIT1093/FIT2093Assignment3

FIT1093/2093Assignment3–Semester1,2024

SubmissionGuidelines&Tasks

GuidelinesDetails

•Deadline:Assignment2submissionisdueinWeek15on10June2024at

11:55pmMelbourne,Australiatime(CLCampus)and10June2024at11:55pm

Malaysiatime(MACampus).ThisTaskisanindividual(notgroup)workandit

mustbesubmittedbyeachstudentindividually.

•SubmissionPlatform:Electronicsubmissionviathe`Assignment2Submission’

linkontheMoodleAssessmentspage(anEdannouncementwillbesentoncethe

linkisadded).

•RequiredFiles:RequiredVMfilesfortheassignmentwillbeavailablefor

downloadviatheMoodleAsg3MoodleSubmissionLink.

•SubmissionFileFormat:OnePDFdocumentforall4tasks.

•SubmissionPageLimit:ThesubmittedPDFdocumentmustbeatmost20

pages,excludingcoverpageandreferences.Anyscreenshotsthatcannotfitin

themain20pagescanbeplacedinanAppendix(whichdoesnotcountinthepage

limit).

•Plagiarism:Itisanacademicrequirementthatyoursubmittedworkbeoriginal.

Zeromarkswillbeawardedforthewholesubmissionifthereisanyevidenceof

copying,collaboration,pastingfromwebsites,orcopyingfromtextbooks.

•UseofGenerativeAItools:ChatGPTorotherAItoolsmaybeusedforstudy

purposes,tolearnaboutyourtopic,andtodevelopyourassignment.However,

similartocitationrequirementsforotherreferences,youmustincludeaclear

declarationofallgenerativeAItoolsused(e.g.ChatGPT,DALL-E,Grammarly,

voice-to-text),howandwhereyouhaveusedthem.PleasefollowtheMonash

guidelinesonhowtoacknowledgetheuseofGenerativeAI.

Notes

●Foreachquestion,youneedtoanswerboththecomputationresultquestion

andtheexplanationquestionsaboutyourworkingprocesssuchasthesource

codeorthecommandsyouareusingtosolvethetasks.

●Notethatifnumbersinthisassignmentarespecifiedinhexadecimalformat,

yourwrittenanswerandmanysoftwarepackagesexpecthexadecimal

numberstobeinputa‘0x’prefix(e.g.’0xa0b1c2d3’)forindicatingthe

hexadecimalformat.Forexample,thisprefixallowsSageMathtointerpretthe

valueinhex.

1

Overviewoftheassignment

Theassignmentisworth30%ofyourtotalunitmark.

Yourgoalinthisassignmentistodosecurity/penetrationtestingofaminiwebapplicationtoidentify

webapplicationandSQLinjectionvulnerabilitiesinit,usingthetechniquescoveredinourWeband

databasesecuritylectures.Then,thegoalistodemonstratehowtoexploitthevulnerabilities

discoveredtobreaktheapp’ssecurity.Finally,youwillreflectontheinvitedlecturefromWeek12and

onapplying

yourunitknowledgeinadailylifesituation.

InTask1oftheassignment(weight:10%ofyourunitmark),youwilldemonstrateyourunderstanding

ofXSSsecurityvulnerabilitiesbytestingthewebapplicationsuchvulnerabilitiesandassessing

whetheranyvulnerabilitiesyoufindcanpotentiallybeexploitedbyanattacker.

InTask2oftheassignment(weight:4%ofyourunitmark),youwilldemonstrateyourunderstanding

ofclient-sidepenetrationtestingtechniquestoattempttobypassthewebapplication’smechanismfor

enforcingaccesscontroltoprivatedocumentstoauthorisedusers.

Task3oftheassignment(weight6%ofyourunitmark)requiresyoutodemonstrateyourskillsin

testingforSQLinjectionvulnerabilitiesinapartofthewebapplicationthatmakesqueriestoanSQL

database,andexploitanyvulnerabilitiesyoudiscovertobreachgainunauthorisedaccesstothe

database.

Task4oftheassignment(weight10%ofyourunitmark)requiresyoutowriteyourreflectionofthe

invitedlectureinWeek12andpersonalexperienceinrelationtoCyberSecurity

2

AssessmentDetails

TaskRubric

Task110%

■TaskA(3%):listofpotentialXSSvulnerabilitypoints(2%)and

explaintheresults(1%)

■TaskB(7%):fortestingtechniques(1%),testsresults(2%)and

sendoutdocumentcookietoattacker’sdomain(1%)

Explainthevulnerability(2%)andmitigation(1%)

Task24%

■Testing(s)techniques(2%)and

■exploit/vulnerabilities’explanation(2%)

Task36%

■TaskA(4%):forlistofuserstesting(2%),resultsand

interpretation,fortableandfieldstestingresultsand

interpretation)(2%)

■TaskB(2%):formodifyinganonphoneno.fieldtesting(1%),

resultsandinterpretation(1%)

Task410%

●ReflectionofInvitedLecture(5%)

●Reflectionofpersonalcybersecurityexperience(5%)

3

AssignmentDetails

YoucandownloadtheAsg3VMfilefromthelinkinthe

MoodleAsg3SubmissionPage

:

-forWindowsorMacdeviceswithIntelCPUs(.ovafile),or

-forMacM1/M2deviceswithVMWareFusionplayer(.zipfile),or

-forMacM1/M2deviceswithUTMplayer(.qcow2file),seeEd#893.

OnceyouruntheVM,loginwiththefollowingcredential:

VMloginname:student

VMpassword:student

Yourtaskistoperformthefollowingsecuritytestsonthiswebapplication.Youshouldperformthese

testsusingtheFirefoxorburpsuitebuilt-inwebbrowserinstalledinyourVM,andtheburpsuitetool

installedinthegivenVM.

Task1(10%ofunitmarks):CommitteeMemberSecurityTest

VisitthehomepageforthewebapplicationattheURL(http://alicefansclub.org/index.php)usingyour

webbrowser.Ifalliswell,thebrowsershoulddisplayapagethatlooksasinFig.1.

Fig.1LoginPag

4

ThiswebappallowscommitteemembersofAliceFansClubtoaccesstheirpersonaldocuments.

Inthispart,youraimistodosecuritytestingofthecommitteememberpartofthewebapplication,

fromthepointofviewofanattackertryingtorevealthesecretcommitteeinformation.Tohelpyouwith

this,youaregiventhelogincredentialsofoneoftheregisteredcommitteemembers(however,note

thatanoutsiderattackermayormaynotknowcredentialsotherthanprovided):

Username:Alice

Password:alice

City:Sydney

Afterclickingthe“submit”buttonwiththeabovecredential,thebrowsershoulddisplayawelcome

page,asshowninFig.2.

Fig.2.Welcomepage

Then,afterenteringtheeventdetailse.gMay2024andSydneyintotheboxesandthenclickingthe

“submit”button,youshouldseetheshowposterasshowninFig.3.

5

Fig.3.Secretreportofobservation.

Completethefollowingtasks:

●Task1A(3mark)Basedontheapplicationbehaviorforloginandwelcomepagesabove:

o

Basedonthebehaviourofthewebapplicationpagesabovewithanhonestuser,list

potentialpointsonthehomeandgreetingpageswhereareflectedXSSinput

injectionvulnerabilitymaypotentiallyexist.(NoactualXSSattackisrequiredinthis

task).

o

ExplainwhythepointsyoulistedarepotentialXSSvulnerabilitypoints.

●Task1B(7mark)Experimentwiththehomepageloginandwelcomeandmemberreport

pagesinFigs.1-3,andexaminethebehaviorofthesepagestodifferentinputs.Inparticular:

o

ForeachofthepotentialXSSvulnerabilitypointslistedinTaskA.1,performteststo

seeifXSSvulnerabilitiesactuallyexistatthesepoints.

oAssumeyousetupawebapplicationserver,craftamaliciousscriptthatcouldallowthe

attackertoreceivethetargetuser’ssessioncookiebylaunchinganXSSattackonone

ofthechosenvulnerabilitypoints.

o

Inthereport,

Describeandexplainyourtestingapproach

Drawatableoftestresultsandyourinterpretation/conclusionsonwhyorwhy

notsuchXSSvulnerabilityexists(note:youonlyneedtotestifscriptinjectionis

possible,nosocialengineeringconsiderationsarerequired).

Screenshotofscriptandthefeasibilityofreceivingcookiesattheattacker’s

applicationserver.(note:youonlyneedtoshowthescriptandevidenceforits

executiontostealthecookie,nosocialengineeringattackfeasibility/demois

required)

Explainhowtomitigatethevulnerabilities.

6

Task2(4%ofunitmarks):PersonalInformationSecurityTest

Inthispart,youraimistodosecuritytestingofthefans’personalinformationpartofthewebapp.For

this,youaregivenoneoffans’nameandpassword,namely:

MemberName:Grace

MemberIDNumber:3

Memberpassword:Ro4mvSemq45xfepvaEr24

UseGrace’smemberIDnumberandMemberpasswordtologintothePersonalPrivateInformation

loginpageshowninFig.4.

Fig.4.PersonalPrivateInformationloginpage.

Completethefollowingtasks:

GracehastwoprivatedocumentsstoredinhisaccountwithdocumentIDs1and2.Yourgoalinthis

taskistotesttheapplicationagainstattacksbyGrace(MemberID:3)whoiscurioustolearnabout

anothermemberCamy’s(MemberID:4)privateinformation.

o

CanGracegainunauthorisedaccesstoCamy’spersonalprivatedata?

Ifyouthinkitispossible,explainthevulnerabilityyoufoundandhowGracecan

exploitit,andshowanyprivatedataofCamyyoumanagedtoexposebythe

attack.

Ifyouthinkitisnotpossible,explainwhy.

7

Inanycase,explainthetestsyoudid,theresults,andyourinterpretationof

them.

Hints:experimentwiththepersonalprivateinformationpartofthewebapptoseehowitbehaveswith

differentinputsfromGrace.Usetheburpsuitetool(seeweek10appliedsession)tohelpwithyour

experimentsandtryoutpotentialattacks.

Task3(6%ofunitmarks):Attackonthedatabase

Inthispart,youraimistotestforpotentialdatabaseSQLinjectionvulnerabilitiesinthecommittee’s

personalprofilepage.Todoso,clickthe“here”linkatthebottomofthe“Welcome”page(seeFig.5)

afterlogginginastheuserAliceasexplainedinTaskA.

Fig.5.Memberwelcomepagewithlinktocommitteepersonalprofileatbottom.

8

Alice’spersonalprofilesearchpageshouldappearasinFig.6.

Fig.6.Memberpersonalprofilesearchpage.

Whenyoutypeinausernameinthetextboxunder“Pleaseenterausername:”inthesearchpage,the

personaldetailsofthememberuser(title,salaryandphoneno.)willbeshowninthewebsite.

Forexample,ifyousubmittheformwithusername=“Alice”,theinformationwillbeasshowninFig.

7.

Fig.7.Searchresultsforusername“Alice”.

9

Completethefollowingtasks:

Task3A(4marks)

Inthistask,youshouldtestforSQLinjectionvulnerabilitiesviauserinputofthequerytoachievethe

followingtasks.Youshouldincludeyourinjectioninputsandthescreencapturesofresultsinyour

presentation.

3A.(i)Testto:

●FindoutwhethertheusernameinputboxintheFig.7pagehasanSQLinjectionvulnerability.

WhatkindofSQLstatementdoyouthinkisbeingusedbythewebapplication(Insert,Update,

Selectorother)?

●Trytocraftamaliciousinputfortheusernameinputboxtolistinformationonalltheusers.

3A.(ii)Makeuseoftheusernametextboxtofind:

●alltablesinthedatabase

●amongthepossibletables,thenameofthedatabasetablewhichlikelycontainsuserpersonal

privateinformatione.g.theusernames,salary,andpassword

●listthecorrespondingnamesoffields(columns)inthedatabasetableyounamedabove,and

thevaluesofthreeoftheprivateinformationfieldsforalltheusersinthetable

Task3B(3marks)

Inthebottomhalfofthememberpersonalprofilesearchpage(seeFig.6),userAlicecanupdateher

phoneno.byenteringanewphoneno.Yoursubtasksare:

3B.(i)WhatkindofSQLstatementisbeingusedinthisbox?Attempttomakeuseofthefieldsfound

inTask3AtotestforandexploitanSQLinjectionvulnerabilityinthephoneupdatetextboxtoupdate

someinformationotherthanphoneno.

3B.(ii)IncludeyourSQLinjectionmaliciousinputandscreencapturesbeforeandafterthechangesby

usingamemberprofilesearchpagequery,andexplainyourinterpretationofthetestresults.

3B.(iii)Howtopreventthistypeofattack?

Hints:RefertotheSQLstatementquickreferencetolookforalikelySQLstatementforsubtask

3B.(i)andthestatementsyntaxtohelpyoucraftyourmaliciousinputforsubtask3B.(ii).

10

Task4:ReflectiononInvitedLecture(10marks)

Completethefollowingtaskswithinthespecifiedwordcountsbelow.

○Task4A:Reflectiononinvitedlecture(5marks)innomorethan250words:

■Summarizethemainpointsoftheinvitedlecture

■Describeonetakeawayfromthelecturethatinspiresyouthemost

■Describewhatthefuturedevelopmentsincybersecurityarelikelytobe

■Whatadviceforyourcareerdevelopmentyoumayconsidertoadopt.

○Task4B:Reflectiononyourpersonalexperienceorobservation(5marks)innomore

than250words:

■Chooseonecyberincidentyouhaveeitherexperiencedorheardaboutinthe

news

■Describeandexplainhowtheattackworkedintheincident

■Basedonthemodelof“CIAA”inthisunit,explainwhichsecuritygoal/scanbe

compromisedbytheaboveattackintheincident?

■Explainaremediationtotheincident.

11

Appendices

WARNING(Academicintegrity):Itisanacademicrequirementthatyoursubmittedworkbeoriginal.

Zeromarkswillbeawardedforthewholesubmissionifthereisanyevidenceofplagiarismorcontract

cheating(i.e.payinganotherpersontocompletetheassessmenttask).Itisfinetousecodeorother

materialfromvarioussourcesinyourreport.However,anymaterialthatyouobtainfromsomesource

(e.g.website,book,paper,article)mustbecitedintheappropriateplaceinyourreportandlistedin

thereferencessectionofyourreport.Pleasealsonotethatstudentsmustworkonthisassignment

individually,andsignificantsimilaritiesbetweenassignmentswillbeinvestigatedforevidenceof

plagiarism.

REMARK(GuidelinesonUseofAItoolsintheAssignment):ChatGPTorotherAItoolsmaybe

usedforstudypurposes,tolearnaboutyourtasks,andtodevelopyourassignment.However,similar

tocitationrequirementsforotherreferences(see“AcademicIntegrity”statementabove),youmust

includeacleardeclarationofallgenerativeAItoolsused(e.g.ChatGPT,DALL-E,Grammarly,

voice-to-text),howandwhereyouhaveusedthem.Inparticular,youshouldbeawarethatoutputof

AItoolsmaynotbefactuallycorrectandyoushouldthereforecriticallyevaluatetheoutputgenerated

bysuchtoolsforclaimaccuracyandappropriatenesstothetasks,usingreliablesources,before

incorporatingsuchoutputinyourassignment(e.g.anexampledeclarationmaybe:‘ChatGPTwas

usedtogenerateaninitialstructure,thenIeditthistocorrectfactualinaccuracies,addcitationsto

supportclaims’).

12

Wheretogethelp

Whatcanyougethelpfor?

Englishlanguageskills

ifyoudon’tfeelconfidentwithyourEnglish.

●TalktoEnglishConnect:https://www.monash.edu/english-connect

Studyskills

Ifyoufeellikeyoujustdon’thaveenoughtimetodoeverythingyouneedto,maybeyoujustneeda

newapproach

●Talktoanacademicskillsadvisor:https://www.monash.edu/learnhq/consultations

Thingsarejustreallyscaryrightnow

Everyoneneedstotalktosomeoneatsomepointintheirlife,nojudgementhere.

●Talktoacounsellor:https://www.monash.edu/health/counselling/appointments

(friendly,approachable,confidential,free)

Thingsintheunitdon’tmakesense

Evenifyou’renotquitesurewhattoaskabout,ifyou’renotsureyouwon’tbealone,it’salwaysbetter

toask.

●Askintheforumsoremailyourtutor:

Teachingteam:https://lms.monash.edu/course/view.php?id=155649§ion=1

Consultation:https://lms.monash.edu/mod/resource/view.php?id=11630825

Idon’tknowwhatIneed

EveryoneatMonashUniversityisheretohelpyou.Ifthingsaretoughnowtheywon’tmagicallyget

betterbythemselves.Evenifyoudon’texactlyknow,comeandtalkwithusandwe’llfigureitout.We

caneitherhelpyouourselvesoratleastpointyouintherightdirection.

13

Changelog

Allchangestotheassignmentwillbelistedherewiththetimeofthechange(inMelbournetime):

●20May2024:v1ofspecsreleased.

●24May2024:v2,containingthefollowingcorrection:

○p.11:“howattackerused”replacedby“howtheattackworked”.

14

51作业君

Email:51zuoyejun

@gmail.com

添加客服微信: Fudaojun0228