COMP 20: Web Programming
Assignment 4: Security and Privacy Assessment of Private Car Service (Assignments 2 and 3)
Due: Tuesday, April 23rd
- Perform a security assessment on a potentially vulnerable web application.
You completed both the client-side (Assignment 2) and the server-side (Assignment 3) for a private car service. Unfortunately, they are riddled with security and privacy vulnerabilities. Assume that you have been hired as a security consultant to document and resolve the security and privacy issues in the applications.
You will be assigned an Assignment 2 and 3 deliverable by another student in the class to penetration test and analyze (see below). You are free to collaborate with the student on all matters. Your goal is to find as many security and privacy problems as you can --breaking your partner's work is allowed. You must find at least three (3) vulnerabilities in the other students' product. You are allowed to use external tools such as Burp Suite, curl, and OWASP Zed Attack Proxy (ZAP).
It is not necessary for you to use any of the tools listed above but a good idea nonetheless. The only deliverable for this portion of the assignment is a security assessment document in HTML5 format in your private GitHub repository:
security/index.html. Your document must have the following sections:
- Introduction - Provide a description of the product and what you were hired to do
- Methodology - Describe your methodology pen testing the application, including the tools that you used
- Abstract of Findings - Provide an overview of all the security and privacy issues you identified. This section should be written for non-technical managers who do not have technical expertise and do not have time to read the entire document. Write this section using lay language.
- Issues Found - For each issue that you find, document:
- Issue (e.g., database injection, really bad programming practice)
- Location or page where issue was found
- Severity of issue (e.g., low, medium , or high). Justify your answer.
- Description of issue. How did you find it? A screenshot of problem is excellent.
- Proof of vulnerability. Show pictures or it didn't happen.
- Resolution. Make recommendation(s) on how issue can be resolved. Show code if possible.
- Conclusion - You can also list future considerations and recommendations with costs.
- References - A list of references and links that you used for your work.
- You can identify multiple instances of a security and privacy issue in your document (i.e., it will count as two issues). Example: Cross-Site Scripting (XSS) on two different sections of the web application.
- It is important that you read your partner's source code!
- Jing, Panru:Bisbee, Eloise
- Lin, Zimo:Park, Robin
- Clarke-Magrab, Quinn:Lombino, Isabella
- Beaulieu, Gabrielle:Miljanic, Philip
- Neubieser, Craig:Holley, Cameron
- Prajapati, Harsh:Gramaglia, Peter
- Murray, Wei-ren:Bauer, Aidan
- Dawson, Brita:Nwachuku, Akwarandu
- Gaillard, Brian:Jelcic, Daniel
- Barnett-Young, Annie:Russo, Trevor
- Massart, David:Keser, Armanc
- Rose, Kiara:Pantuck, Alex
- Bell, Brandon:Whealan, Diana
- Kim, Maria:Polhemus, Ryan
- Dovey, Caelyn:Song, Ziyu
- Mukasa, Keisha:Gourley, Conor
- Wullenweber, Paul:Chong, Amber
- Tavadze, Bakar:Youman, Will
- Vithoontien, Jonathan:Fagan, Grace
- Zhang, Noah:Geismar, Ethan
- Dieng, Aminata:Chen, Yves
- Cheng, Michael:Saltzman, Samantha
- Chang, Jonathan:Swoap, Sam
- Sjamsu, Aji:Chung, Sam
- Kim, Matthew:Ross, Johanna
- Alsheikh-Ali, Noaf:Li, Henry
- Culligan, Casey:Lai, Emai
- Chang-Davidson, Thomas:Toffler, Mikayla
- Lytel, Lucas:Ngetich, David
- Yeung, Julie:Alguacil, Sandra
- Vanderlee, Caroline:Mathew, George
- Llamas-Rodriguez, Josue:Tijssen, Josefine
- Breitman, Roberto:Joshi, Radhika
- Fonarev, Vichka:Bornstein, Benjamin
- Schertz, Aidan:Fernandes, Ramon
- Rao, Sitara:Wolk, Colton
- Testa, Sam:Iyer, Era
- Herodes, Logan:San, Kerem
- Jacobs, Nick:Mirecki, Jay
- Varteresian, William:Tang, Darren
- Osherow, Eric:Chow, Ming
README file that describes the work. This description must:
- Identify what aspects of the work have been correctly implemented and what have not.
- Identify anyone with whom you have collaborated or discussed the assignment.
- Say approximately how many hours you have spent completing the assignment.
- Be written in either text format (thus
README.txt) or in Markdown (thus
README.md). No other formats will be accepted.
This assignment is worth 10 points. I will be assessing your document based on its breadth and depth:
- (1 point) - Introduction
- (1 point) - Methodology
- (1 points) - Abstract of findings
- (3 points) - Issues found and technical analysis of issues found
- (1 point) - Conclusion
- (1 point) - References
- (1 point) - Grammar, spelling, style (e.g., must be in HTML format)
- (1 point) -
README document exists; report is named
index.html in folder named
security in your private GitHub repository under the
master branch. No credit for report uploaded as PDF, Word document, or other format.
Submitting the Assignment
Push all your changes to the private repository in GitHub that I created for you in a folder named
security under the
master branch. Say that your private repository in GitHub is named
comp20-mchow, make sure all the files are pushed to
Frequently Asked Questions
Q: Is this an individual assignment or a team assignment?
A: An individual assignment. You are free to collaborate with your partner but each student will submit his/her own report.
Q: Are we supposed to read the downloaded source code in order to make our attacks on the site we are attacking? Or should we try to do it without going through the source code? I'm not sure how to tell my attacks are working.
A: Two step process:
- First, perform attacks WITHOUT reading the source code. This is also known as "black box" testing.
- Then, download or get from your partner, the source code of the application. Peruse through it, perform a manual code review of it, and document for your findings.
If you find anything glaring, then go back to the application and attack it. This is also known as "white box" testing. For example, after you read the source code and you are suspicious that you can perform a Cross-Site Scripting attack, go ahead an try it out.
Q: Is it necessary to use all the programs listed above?
Q: I'm using a scanning tool and it returned a number of possible vulnerabilities. Does it mean that the vulnerabilities actually exist?
A: It could also be a false positive. You have to check in the database (in this case, ask your partner), if it went through. That is, your job is to validate the finding.
Q: I can't find any problems with my partner's application. What should I do?
A: That's nonsense. You can make security and privacy recommendations. Example: if you notice that your partner's web application uses the insecure methods, you can recommend to upgrade application to use more secure options.
Q: Do I have to actually fix my partner's code?