MonashUniversity–FIT1093/FIT2093Assignment3
FIT1093/2093Assignment3–Semester1,2024
SubmissionGuidelines&Tasks
GuidelinesDetails
•Deadline:Assignment2submissionisdueinWeek15on10June2024at
11:55pmMelbourne,Australiatime(CLCampus)and10June2024at11:55pm
Malaysiatime(MACampus).ThisTaskisanindividual(notgroup)workandit
mustbesubmittedbyeachstudentindividually.
•SubmissionPlatform:Electronicsubmissionviathe`Assignment2Submission’
linkontheMoodleAssessmentspage(anEdannouncementwillbesentoncethe
linkisadded).
•RequiredFiles:RequiredVMfilesfortheassignmentwillbeavailablefor
downloadviatheMoodleAsg3MoodleSubmissionLink.
•SubmissionFileFormat:OnePDFdocumentforall4tasks.
•SubmissionPageLimit:ThesubmittedPDFdocumentmustbeatmost20
pages,excludingcoverpageandreferences.Anyscreenshotsthatcannotfitin
themain20pagescanbeplacedinanAppendix(whichdoesnotcountinthepage
limit).
•Plagiarism:Itisanacademicrequirementthatyoursubmittedworkbeoriginal.
Zeromarkswillbeawardedforthewholesubmissionifthereisanyevidenceof
copying,collaboration,pastingfromwebsites,orcopyingfromtextbooks.
•UseofGenerativeAItools:ChatGPTorotherAItoolsmaybeusedforstudy
purposes,tolearnaboutyourtopic,andtodevelopyourassignment.However,
similartocitationrequirementsforotherreferences,youmustincludeaclear
declarationofallgenerativeAItoolsused(e.g.ChatGPT,DALL-E,Grammarly,
voice-to-text),howandwhereyouhaveusedthem.PleasefollowtheMonash
guidelinesonhowtoacknowledgetheuseofGenerativeAI.
Notes
●Foreachquestion,youneedtoanswerboththecomputationresultquestion
andtheexplanationquestionsaboutyourworkingprocesssuchasthesource
codeorthecommandsyouareusingtosolvethetasks.
●Notethatifnumbersinthisassignmentarespecifiedinhexadecimalformat,
yourwrittenanswerandmanysoftwarepackagesexpecthexadecimal
numberstobeinputa‘0x’prefix(e.g.’0xa0b1c2d3’)forindicatingthe
hexadecimalformat.Forexample,thisprefixallowsSageMathtointerpretthe
valueinhex.
1
Overviewoftheassignment
Theassignmentisworth30%ofyourtotalunitmark.
Yourgoalinthisassignmentistodosecurity/penetrationtestingofaminiwebapplicationtoidentify
webapplicationandSQLinjectionvulnerabilitiesinit,usingthetechniquescoveredinourWeband
databasesecuritylectures.Then,thegoalistodemonstratehowtoexploitthevulnerabilities
discoveredtobreaktheapp’ssecurity.Finally,youwillreflectontheinvitedlecturefromWeek12and
onapplying
yourunitknowledgeinadailylifesituation.
InTask1oftheassignment(weight:10%ofyourunitmark),youwilldemonstrateyourunderstanding
ofXSSsecurityvulnerabilitiesbytestingthewebapplicationsuchvulnerabilitiesandassessing
whetheranyvulnerabilitiesyoufindcanpotentiallybeexploitedbyanattacker.
InTask2oftheassignment(weight:4%ofyourunitmark),youwilldemonstrateyourunderstanding
ofclient-sidepenetrationtestingtechniquestoattempttobypassthewebapplication’smechanismfor
enforcingaccesscontroltoprivatedocumentstoauthorisedusers.
Task3oftheassignment(weight6%ofyourunitmark)requiresyoutodemonstrateyourskillsin
testingforSQLinjectionvulnerabilitiesinapartofthewebapplicationthatmakesqueriestoanSQL
database,andexploitanyvulnerabilitiesyoudiscovertobreachgainunauthorisedaccesstothe
database.
Task4oftheassignment(weight10%ofyourunitmark)requiresyoutowriteyourreflectionofthe
invitedlectureinWeek12andpersonalexperienceinrelationtoCyberSecurity
2
AssessmentDetails
TaskRubric
Task110%
■TaskA(3%):listofpotentialXSSvulnerabilitypoints(2%)and
explaintheresults(1%)
■TaskB(7%):fortestingtechniques(1%),testsresults(2%)and
sendoutdocumentcookietoattacker’sdomain(1%)
Explainthevulnerability(2%)andmitigation(1%)
Task24%
■Testing(s)techniques(2%)and
■exploit/vulnerabilities’explanation(2%)
Task36%
■TaskA(4%):forlistofuserstesting(2%),resultsand
interpretation,fortableandfieldstestingresultsand
interpretation)(2%)
■TaskB(2%):formodifyinganonphoneno.fieldtesting(1%),
resultsandinterpretation(1%)
Task410%
●ReflectionofInvitedLecture(5%)
●Reflectionofpersonalcybersecurityexperience(5%)
3
AssignmentDetails
YoucandownloadtheAsg3VMfilefromthelinkinthe
MoodleAsg3SubmissionPage
:
-forWindowsorMacdeviceswithIntelCPUs(.ovafile),or
-forMacM1/M2deviceswithVMWareFusionplayer(.zipfile),or
-forMacM1/M2deviceswithUTMplayer(.qcow2file),seeEd#893.
OnceyouruntheVM,loginwiththefollowingcredential:
VMloginname:student
VMpassword:student
Yourtaskistoperformthefollowingsecuritytestsonthiswebapplication.Youshouldperformthese
testsusingtheFirefoxorburpsuitebuilt-inwebbrowserinstalledinyourVM,andtheburpsuitetool
installedinthegivenVM.
Task1(10%ofunitmarks):CommitteeMemberSecurityTest
VisitthehomepageforthewebapplicationattheURL(http://alicefansclub.org/index.php)usingyour
webbrowser.Ifalliswell,thebrowsershoulddisplayapagethatlooksasinFig.1.
Fig.1LoginPag
4
ThiswebappallowscommitteemembersofAliceFansClubtoaccesstheirpersonaldocuments.
Inthispart,youraimistodosecuritytestingofthecommitteememberpartofthewebapplication,
fromthepointofviewofanattackertryingtorevealthesecretcommitteeinformation.Tohelpyouwith
this,youaregiventhelogincredentialsofoneoftheregisteredcommitteemembers(however,note
thatanoutsiderattackermayormaynotknowcredentialsotherthanprovided):
Username:Alice
Password:alice
City:Sydney
Afterclickingthe“submit”buttonwiththeabovecredential,thebrowsershoulddisplayawelcome
page,asshowninFig.2.
Fig.2.Welcomepage
Then,afterenteringtheeventdetailse.gMay2024andSydneyintotheboxesandthenclickingthe
“submit”button,youshouldseetheshowposterasshowninFig.3.
5
Fig.3.Secretreportofobservation.
Completethefollowingtasks:
●Task1A(3mark)Basedontheapplicationbehaviorforloginandwelcomepagesabove:
o
Basedonthebehaviourofthewebapplicationpagesabovewithanhonestuser,list
potentialpointsonthehomeandgreetingpageswhereareflectedXSSinput
injectionvulnerabilitymaypotentiallyexist.(NoactualXSSattackisrequiredinthis
task).
o
ExplainwhythepointsyoulistedarepotentialXSSvulnerabilitypoints.
●Task1B(7mark)Experimentwiththehomepageloginandwelcomeandmemberreport
pagesinFigs.1-3,andexaminethebehaviorofthesepagestodifferentinputs.Inparticular:
o
ForeachofthepotentialXSSvulnerabilitypointslistedinTaskA.1,performteststo
seeifXSSvulnerabilitiesactuallyexistatthesepoints.
oAssumeyousetupawebapplicationserver,craftamaliciousscriptthatcouldallowthe
attackertoreceivethetargetuser’ssessioncookiebylaunchinganXSSattackonone
ofthechosenvulnerabilitypoints.
o
Inthereport,
▪
Describeandexplainyourtestingapproach
▪
Drawatableoftestresultsandyourinterpretation/conclusionsonwhyorwhy
notsuchXSSvulnerabilityexists(note:youonlyneedtotestifscriptinjectionis
possible,nosocialengineeringconsiderationsarerequired).
▪
Screenshotofscriptandthefeasibilityofreceivingcookiesattheattacker’s
applicationserver.(note:youonlyneedtoshowthescriptandevidenceforits
executiontostealthecookie,nosocialengineeringattackfeasibility/demois
required)
▪
Explainhowtomitigatethevulnerabilities.
6
Task2(4%ofunitmarks):PersonalInformationSecurityTest
Inthispart,youraimistodosecuritytestingofthefans’personalinformationpartofthewebapp.For
this,youaregivenoneoffans’nameandpassword,namely:
MemberName:Grace
MemberIDNumber:3
Memberpassword:Ro4mvSemq45xfepvaEr24
UseGrace’smemberIDnumberandMemberpasswordtologintothePersonalPrivateInformation
loginpageshowninFig.4.
Fig.4.PersonalPrivateInformationloginpage.
Completethefollowingtasks:
GracehastwoprivatedocumentsstoredinhisaccountwithdocumentIDs1and2.Yourgoalinthis
taskistotesttheapplicationagainstattacksbyGrace(MemberID:3)whoiscurioustolearnabout
anothermemberCamy’s(MemberID:4)privateinformation.
o
CanGracegainunauthorisedaccesstoCamy’spersonalprivatedata?
▪
Ifyouthinkitispossible,explainthevulnerabilityyoufoundandhowGracecan
exploitit,andshowanyprivatedataofCamyyoumanagedtoexposebythe
attack.
▪
Ifyouthinkitisnotpossible,explainwhy.
7
▪
Inanycase,explainthetestsyoudid,theresults,andyourinterpretationof
them.
Hints:experimentwiththepersonalprivateinformationpartofthewebapptoseehowitbehaveswith
differentinputsfromGrace.Usetheburpsuitetool(seeweek10appliedsession)tohelpwithyour
experimentsandtryoutpotentialattacks.
Task3(6%ofunitmarks):Attackonthedatabase
Inthispart,youraimistotestforpotentialdatabaseSQLinjectionvulnerabilitiesinthecommittee’s
personalprofilepage.Todoso,clickthe“here”linkatthebottomofthe“Welcome”page(seeFig.5)
afterlogginginastheuserAliceasexplainedinTaskA.
Fig.5.Memberwelcomepagewithlinktocommitteepersonalprofileatbottom.
8
Alice’spersonalprofilesearchpageshouldappearasinFig.6.
Fig.6.Memberpersonalprofilesearchpage.
Whenyoutypeinausernameinthetextboxunder“Pleaseenterausername:”inthesearchpage,the
personaldetailsofthememberuser(title,salaryandphoneno.)willbeshowninthewebsite.
Forexample,ifyousubmittheformwithusername=“Alice”,theinformationwillbeasshowninFig.
7.
Fig.7.Searchresultsforusername“Alice”.
9
Completethefollowingtasks:
Task3A(4marks)
Inthistask,youshouldtestforSQLinjectionvulnerabilitiesviauserinputofthequerytoachievethe
followingtasks.Youshouldincludeyourinjectioninputsandthescreencapturesofresultsinyour
presentation.
3A.(i)Testto:
●FindoutwhethertheusernameinputboxintheFig.7pagehasanSQLinjectionvulnerability.
WhatkindofSQLstatementdoyouthinkisbeingusedbythewebapplication(Insert,Update,
Selectorother)?
●Trytocraftamaliciousinputfortheusernameinputboxtolistinformationonalltheusers.
3A.(ii)Makeuseoftheusernametextboxtofind:
●alltablesinthedatabase
●amongthepossibletables,thenameofthedatabasetablewhichlikelycontainsuserpersonal
privateinformatione.g.theusernames,salary,andpassword
●listthecorrespondingnamesoffields(columns)inthedatabasetableyounamedabove,and
thevaluesofthreeoftheprivateinformationfieldsforalltheusersinthetable
Task3B(3marks)
Inthebottomhalfofthememberpersonalprofilesearchpage(seeFig.6),userAlicecanupdateher
phoneno.byenteringanewphoneno.Yoursubtasksare:
3B.(i)WhatkindofSQLstatementisbeingusedinthisbox?Attempttomakeuseofthefieldsfound
inTask3AtotestforandexploitanSQLinjectionvulnerabilityinthephoneupdatetextboxtoupdate
someinformationotherthanphoneno.
3B.(ii)IncludeyourSQLinjectionmaliciousinputandscreencapturesbeforeandafterthechangesby
usingamemberprofilesearchpagequery,andexplainyourinterpretationofthetestresults.
3B.(iii)Howtopreventthistypeofattack?
Hints:RefertotheSQLstatementquickreferencetolookforalikelySQLstatementforsubtask
3B.(i)andthestatementsyntaxtohelpyoucraftyourmaliciousinputforsubtask3B.(ii).
10
Task4:ReflectiononInvitedLecture(10marks)
Completethefollowingtaskswithinthespecifiedwordcountsbelow.
○Task4A:Reflectiononinvitedlecture(5marks)innomorethan250words:
■Summarizethemainpointsoftheinvitedlecture
■Describeonetakeawayfromthelecturethatinspiresyouthemost
■Describewhatthefuturedevelopmentsincybersecurityarelikelytobe
■Whatadviceforyourcareerdevelopmentyoumayconsidertoadopt.
○Task4B:Reflectiononyourpersonalexperienceorobservation(5marks)innomore
than250words:
■Chooseonecyberincidentyouhaveeitherexperiencedorheardaboutinthe
news
■Describeandexplainhowtheattackworkedintheincident
■Basedonthemodelof“CIAA”inthisunit,explainwhichsecuritygoal/scanbe
compromisedbytheaboveattackintheincident?
■Explainaremediationtotheincident.
11
Appendices
WARNING(Academicintegrity):Itisanacademicrequirementthatyoursubmittedworkbeoriginal.
Zeromarkswillbeawardedforthewholesubmissionifthereisanyevidenceofplagiarismorcontract
cheating(i.e.payinganotherpersontocompletetheassessmenttask).Itisfinetousecodeorother
materialfromvarioussourcesinyourreport.However,anymaterialthatyouobtainfromsomesource
(e.g.website,book,paper,article)mustbecitedintheappropriateplaceinyourreportandlistedin
thereferencessectionofyourreport.Pleasealsonotethatstudentsmustworkonthisassignment
individually,andsignificantsimilaritiesbetweenassignmentswillbeinvestigatedforevidenceof
plagiarism.
REMARK(GuidelinesonUseofAItoolsintheAssignment):ChatGPTorotherAItoolsmaybe
usedforstudypurposes,tolearnaboutyourtasks,andtodevelopyourassignment.However,similar
tocitationrequirementsforotherreferences(see“AcademicIntegrity”statementabove),youmust
includeacleardeclarationofallgenerativeAItoolsused(e.g.ChatGPT,DALL-E,Grammarly,
voice-to-text),howandwhereyouhaveusedthem.Inparticular,youshouldbeawarethatoutputof
AItoolsmaynotbefactuallycorrectandyoushouldthereforecriticallyevaluatetheoutputgenerated
bysuchtoolsforclaimaccuracyandappropriatenesstothetasks,usingreliablesources,before
incorporatingsuchoutputinyourassignment(e.g.anexampledeclarationmaybe:‘ChatGPTwas
usedtogenerateaninitialstructure,thenIeditthistocorrectfactualinaccuracies,addcitationsto
supportclaims’).
12
Wheretogethelp
Whatcanyougethelpfor?
Englishlanguageskills
ifyoudon’tfeelconfidentwithyourEnglish.
●TalktoEnglishConnect:https://www.monash.edu/english-connect
Studyskills
Ifyoufeellikeyoujustdon’thaveenoughtimetodoeverythingyouneedto,maybeyoujustneeda
newapproach
●Talktoanacademicskillsadvisor:https://www.monash.edu/learnhq/consultations
Thingsarejustreallyscaryrightnow
Everyoneneedstotalktosomeoneatsomepointintheirlife,nojudgementhere.
●Talktoacounsellor:https://www.monash.edu/health/counselling/appointments
(friendly,approachable,confidential,free)
Thingsintheunitdon’tmakesense
Evenifyou’renotquitesurewhattoaskabout,ifyou’renotsureyouwon’tbealone,it’salwaysbetter
toask.
●Askintheforumsoremailyourtutor:
Teachingteam:https://lms.monash.edu/course/view.php?id=155649§ion=1
Consultation:https://lms.monash.edu/mod/resource/view.php?id=11630825
Idon’tknowwhatIneed
EveryoneatMonashUniversityisheretohelpyou.Ifthingsaretoughnowtheywon’tmagicallyget
betterbythemselves.Evenifyoudon’texactlyknow,comeandtalkwithusandwe’llfigureitout.We
caneitherhelpyouourselvesoratleastpointyouintherightdirection.
13
Changelog
Allchangestotheassignmentwillbelistedherewiththetimeofthechange(inMelbournetime):
●20May2024:v1ofspecsreleased.
●24May2024:v2,containingthefollowingcorrection:
○p.11:“howattackerused”replacedby“howtheattackworked”.
14