COMP 20: Web Programming

Assignment 4: Security and Privacy Assessment of Client-Side and Server-Side (Assignments 2 and 3)

Due: Tuesday, April 25th

Objectives

Overview

You completed both the client-side (Assignment 2) and the server-side (Assignment 3) for The Black Car Service. Unfortunately, they are riddled with security and privacy vulnerabilities. Assume that you have been hired as a security consultant to document and resolve the security and privacy issues in the applications.

Instructions

You will be assigned an Assignment 2 and 3 deliverable by another student in the class to penetration test and analyze (see below). You are free to collaborate with the student on all matters. Your goal is to find as many security and privacy problems as you can --breaking your partner's work is allowed. You must find at least three (3) vulnerabilities in the other students' product. You are allowed to use tools such as Burp Suite, curl, and Tamper Data for Firefox.

It is not necessary for you to use any of the tools listed above but a good idea nonetheless. The only deliverable for this portion of the assignment is a security assessment document in HTML5 format in your private GitHub repository: security/index.html. Your document must have the following sections:

  1. Introduction - Provide a description of the product and what you were hired to do
  2. Methodology - Describe your methodology pen testing the application, including the tools that you used
  3. Abstract of Findings - Provide an overview of all the security and privacy issues you identified. This section should be written for non-technical managers who do not have technical expertise and do not have time to read the entire document. Write this section using lay language.
  4. Issues Found - For each issue that you find, document:
  5. Conclusion - You can also list future considerations and recommendations with costs.
  6. References - A list of references and links that you used for your work.

Notes

Pairings

  1. Gurung, Arpan:Jaenicke, Tucker
  2. Zheng, Kate:Metzger, Nicholas
  3. Chen, Annie:Frikker, Tom
  4. Jiang, Julie :Richards, Griffin
  5. Simon, William:LeRoy, Dakota
  6. Sinha, Tanya:Lee, Jong Hoon
  7. Groh, Selena:Pesmazoglou, Georgios
  8. Doyle, Tatiana:Strzempko, Sydney
  9. Akdag, San:Downs, Harrison
  10. Sun, Marilyn:Shea, Brady
  11. Hinck, Darcy:Kong, Danielle
  12. Coleman, Tyler:Walsh, Bryce
  13. Leong, Tyler:Stivers, Stephen
  14. Ong, Anthony:Donovan, Malachy
  15. Asselin, Jarad:Stern, Leah
  16. Mairs, William:Chen, Vivian
  17. Resor, Emma:Murphy, Colin
  18. Ewing, Benjamin:Skach, Ben
  19. Dunn, Kevin:Olmez, Elif
  20. Sharma, Avita:Voelz, Brendan
  21. Mao, Yibin:Bacher, Jordan
  22. Martin, Sophie:Howarth, Jillian
  23. Chin, Robert:Shapiro, Adon
  24. Spratt, Avery:Enderle, Jacqueline
  25. Danielpour, Sophie:Katz, Dan
  26. Capretta, Bianca:Bowen, Kingsley
  27. Wang, Philip (Zijian):Chen, Ivan
  28. Guven, Hande:Darle Lin, Hnin
  29. Hou, Jiawen:Kercheval, Adam
  30. Redelmeier, Rebecca:Gregoire, James
  31. Yang, Phoebe Yu:Lemus, Jose
  32. Nolte, Alexander:Kaufman, Caroline
  33. Silvestri, Hunter:Jacobson, Anna
  34. Berman, Daniel:Oliver, Iris
  35. Iwasaki, Tomo:Hu, Qiaochu
  36. Egonu, Uche:McBrien, Caroline
  37. Galantino, Lexi:Johnson, Alexander
  38. Payne, Madeline:Welter, McKenzie
  39. Luo, Michelle:Goldsten, Liam
  40. Uustalu, Uku-Kaspar:Phylactopoulos, Georgios
  41. Machlin, Ben:Wang, Sophia
  42. Nguyen, Minh:Tan, Winston
  43. Merfeld, John:Clarke, Meredith
  44. Tran, Huynh:Dillard, Michael
  45. Jaffe, Jacob:Myles, Chad
  46. Wong, Stephanie:Cowger, Charles
  47. Adler, Noah:Yum, Eujene
  48. Voelker, Hannah:Leaman, Ian
  49. Oppenheimer, Clara:McElduff, James
  50. Allen, Nathan:Furgala, Juliana
  51. Nguyen, Duc:Mirpuri, Minal
  52. Grichevsky, Daniel:Nair, Anjali
  53. Sheng, Caroline:Hanson, Addison
  54. Feng, Haomin:Keerthy, Suneeth
  55. Sim, Ki Wan (Emily):Sisson, Grant
  56. Lustgarten, Kevin:Vetter, Paul
  57. Edmonds, Will:Shenton, Matt
  58. Rao, Nikita:Caulfield, Alex
  59. Malik, Shehryar:Silverman, Genevieve
  60. Venable, John:Hattler, Frank
  61. Feldman, Jonah:Laurita, Teddy
  62. Vitirinyu, Craig:Chow, Ming

The README File

Include a README file that describes the work. This description must:

  1. Identify what aspects of the work have been correctly implemented and what have not.
  2. Identify anyone with whom you have collaborated or discussed the assignment.
  3. Say approximately how many hours you have spent completing the assignment.
  4. Be written in either text format (thus README.txt) or in Markdown (thus README.md). No other formats will be accepted.

Assessment

I will be assessing your document based on its breadth and depth:

Submitting the Assignment

Push all your changes to the private repository in GitHub that I created for you in a folder named security under the master branch. Say that your private repository in GitHub is named comp20-mchow, make sure all the files are pushed to comp20-mchow/security.

Frequently Asked Questions

Q: Is this an individual assignment or a team assignment?

A: An individual assignment. You are free to collaborate with your partner but each student will submit his/her own report.

Q: Are we supposed to read the downloaded source code in order to make our attacks on the site we are attacking? Or should we try to do it without going through the source code? I'm not sure how to tell my attacks are working.

A: Two step process:

  1. First, perform attacks WITHOUT reading the source code. This is also known as "black box" testing.
  2. Then, download or get from your partner, the source code of the application. Peruse through it, perform a manual code review of it, and document for your findings.

If you find anything glaring, then go back to the application and attack it. This is also known as "white box" testing. For example, after you read the source code and you are suspicious that you can perform a Cross-Site Scripting attack, go ahead an try it out.

Q: Is it necessary to use all the programs listed above?

A: No.

Q: I'm using a scanning tool and it returned a number of possible vulnerabilities. Does it mean that the vulnerabilities actually exist?

A: It could also be a false positive. You have to check in the database (in this case, ask your partner), if it went through. That is, your job is to validate the finding.

Q: I can't find any problems with my partner's application. What should I do?

A: That's nonsense. You can make security and privacy recommendations. Example: if you notice that your partner's web application uses the insecure methods, you can recommend to upgrade application to use more secure options.

Q: Do I have to actually fix my partner's code?

A: No.