CS 443 Assignment #2 Fall, 2009 This assignment will be done in groups of four. On October 14, in class, we will make sure that all groups have been formed. Beyond your group members, you may not receive any help from anyone else in the class or outside of the class. All of the code in your project must be written by no one else except for the members of your group. You may not use any code found on the Internet or elsewhere. Part I, due beginning of class on October 26 You may use reference materials, the Internet, or manuals to find information for the first part of the assignment. Identify and rank in order of importance the 5 most relevant web-application attacks including both server-side and client-side attacks. Be sure to explicitly state the nature of your ranking system, as well as why your 5 attacks belong at the top. Your ranking system could be based on popularity, magnitude of potential damage, difficulty of prevention, etc. After explaining this, describe the nature of your top 5 web-application attacks, how they work, what vulnerabilities (if any) must be present in a web application for the attacks to be possible, what potential damage might arise if the attack is successful, the difficulty of a successful attack, and mitigation and defense techniques that can be developed to thwart these attacks. Describe how any particular web browsers used today (e.g. Internet Explorer, Firefox, Safari, Opera, etc.) implements one of the mitigations you described. Part II, due beginning of class on November 9 Design a web application that contains a vulnerability that would enable an adversary to perform one of the web-application attacks you described in Part I. Your web application should take the form of an application that is hosted and run on a web server and is accessed by a client via a web browser. Your web application may use a database. Try your best to hide the vulnerability so that someone testing your web application would not see it. Please note that a major portion of your grade for this section will be the complexity and stealthiness of your vulnerability. Thus, it should be difficult for an adversary to detect and then exploit. Document your web application and its vulnerability in a short, external report. Turn in a CD with all of your source code, instructions for how to build and run your web application, and your report. In addition, bring another CD with your source code and instructions for how to build and run your web application, but NOT your short report and with NO indication of how your web application is vulnerable. Make sure your name is on both CDs. Clearly indicate which CD is for the TAs to grade and which is for the other group (as will be explained below) to analyze. Part III, also due beginning of class on November 9 Prepare a demonstration of how the vulnerability in your web application could be exploited by an adversary. Document in a short, external report how your attack works and what an adversary stands to gain from the attack. Turn in this report, all source code needed to run your attack, and instructions on how to perform your attack. This can all be included on the CD that you prepare for the TAs. Part IV, due beginning of class on November 30 You will receive the web application and build instructions of another group from the class on November 9. You will have until November 30 to find the vulnerability in the other group's web application and to create an attack that exploits this vulnerability. Partial credit will be given for identifying the vulnerability if you cannot create an attack that exploits it. You will receive extra credit if the other group is unable to find the vulnerability in your web application. You will also receive extra credit for finding additional unintended vulnerabilities in the other group's project. Turn in a description of the other group's vulnerability, a description of your attack and what an adversary stands to gain from your attack, all source code needed to run the attack, instructions on how to perform the attack, as well as what could have been done to prevent the attack. Lastly, write up a short comparison between your experiences with buffer overflow attacks in Assignment #1 and with web-application attacks in Assignment #2. Possible topics you might discuss include: difficulty level of vulnerability detection and exploitation by an adversary, what an adversary stands to gain from an exploit, prevention/mitigation techniques, attack space in the modern computing world, future directions of each, etc. Part V, presentations on November 30 and December 2 You should prepare a presentation to the class as follows: - Demonstrate your web application - Explain the vulnerability - Describe and demonstrate your attack - Describe your analysis of the other group's web application and what you found, as well as your attack on their application Grade Sheet: Part I: Quality of answers ____________ (25 points) Part II: Quality of web application: ______ (15 points) Quality of vulnerability: ___ (10 points) Stealthiness of vulnerability: ___ (10 points) Quality of documentation: ___ (15 points) Extra credit, if other group did not find vulnerability: ___ (10 points) Part III: Quality of attack: ___ (10 points) Quality of documentation: ___ (20 points) Part IV: Finding vulnerability: ___ (10 points) Quality of attack: ___ (15 points) Quality of documentation and comparison between buffer overflow attacks and web-application attacks: ___ (20 points) Part V: Quality of presentation: ___ (15 points)