COMP 20: Web Programming

Assignment 4: Security and Privacy Assessment of Private Car Service (Assignments 2 and 3)

Due: Tuesday, April 23rd

Objectives

Overview

You completed both the client-side (Assignment 2) and the server-side (Assignment 3) for a private car service. Unfortunately, they are riddled with security and privacy vulnerabilities. Assume that you have been hired as a security consultant to document and resolve the security and privacy issues in the applications.

Instructions

You will be assigned an Assignment 2 and 3 deliverable by another student in the class to penetration test and analyze (see below). You are free to collaborate with the student on all matters. Your goal is to find as many security and privacy problems as you can --breaking your partner's work is allowed. You must find at least three (3) vulnerabilities in the other students' product. You are allowed to use external tools such as Burp Suite, curl, and OWASP Zed Attack Proxy (ZAP).

It is not necessary for you to use any of the tools listed above but a good idea nonetheless. The only deliverable for this portion of the assignment is a security assessment document in HTML5 format in your private GitHub repository: security/index.html. Your document must have the following sections:

  1. Introduction - Provide a description of the product and what you were hired to do
  2. Methodology - Describe your methodology pen testing the application, including the tools that you used
  3. Abstract of Findings - Provide an overview of all the security and privacy issues you identified. This section should be written for non-technical managers who do not have technical expertise and do not have time to read the entire document. Write this section using lay language.
  4. Issues Found - For each issue that you find, document:
  5. Conclusion - You can also list future considerations and recommendations with costs.
  6. References - A list of references and links that you used for your work.

Notes

Pairings

  1. Jing, Panru:Bisbee, Eloise
  2. Lin, Zimo:Park, Robin
  3. Clarke-Magrab, Quinn:Lombino, Isabella
  4. Beaulieu, Gabrielle:Miljanic, Philip
  5. Neubieser, Craig:Holley, Cameron
  6. Prajapati, Harsh:Gramaglia, Peter
  7. Murray, Wei-ren:Bauer, Aidan
  8. Dawson, Brita:Nwachuku, Akwarandu
  9. Gaillard, Brian:Jelcic, Daniel
  10. Barnett-Young, Annie:Russo, Trevor
  11. Massart, David:Keser, Armanc
  12. Rose, Kiara:Pantuck, Alex
  13. Bell, Brandon:Whealan, Diana
  14. Kim, Maria:Polhemus, Ryan
  15. Dovey, Caelyn:Song, Ziyu
  16. Mukasa, Keisha:Gourley, Conor
  17. Wullenweber, Paul:Chong, Amber
  18. Tavadze, Bakar:Youman, Will
  19. Vithoontien, Jonathan:Fagan, Grace
  20. Zhang, Noah:Geismar, Ethan
  21. Dieng, Aminata:Chen, Yves
  22. Cheng, Michael:Saltzman, Samantha
  23. Chang, Jonathan:Swoap, Sam
  24. Sjamsu, Aji:Chung, Sam
  25. Kim, Matthew:Ross, Johanna
  26. Alsheikh-Ali, Noaf:Li, Henry
  27. Culligan, Casey:Lai, Emai
  28. Chang-Davidson, Thomas:Toffler, Mikayla
  29. Lytel, Lucas:Ngetich, David
  30. Yeung, Julie:Alguacil, Sandra
  31. Vanderlee, Caroline:Mathew, George
  32. Llamas-Rodriguez, Josue:Tijssen, Josefine
  33. Breitman, Roberto:Joshi, Radhika
  34. Fonarev, Vichka:Bornstein, Benjamin
  35. Schertz, Aidan:Fernandes, Ramon
  36. Rao, Sitara:Wolk, Colton
  37. Testa, Sam:Iyer, Era
  38. Herodes, Logan:San, Kerem
  39. Jacobs, Nick:Mirecki, Jay
  40. Varteresian, William:Tang, Darren
  41. Osherow, Eric:Chow, Ming

The README File

Include a README file that describes the work. This description must:

  1. Identify what aspects of the work have been correctly implemented and what have not.
  2. Identify anyone with whom you have collaborated or discussed the assignment.
  3. Say approximately how many hours you have spent completing the assignment.
  4. Be written in either text format (thus README.txt) or in Markdown (thus README.md). No other formats will be accepted.

Assessment

This assignment is worth 10 points. I will be assessing your document based on its breadth and depth:

Submitting the Assignment

Push all your changes to the private repository in GitHub that I created for you in a folder named security under the master branch. Say that your private repository in GitHub is named comp20-mchow, make sure all the files are pushed to comp20-mchow/security.

Frequently Asked Questions

Q: Is this an individual assignment or a team assignment?

A: An individual assignment. You are free to collaborate with your partner but each student will submit his/her own report.

Q: Are we supposed to read the downloaded source code in order to make our attacks on the site we are attacking? Or should we try to do it without going through the source code? I'm not sure how to tell my attacks are working.

A: Two step process:

  1. First, perform attacks WITHOUT reading the source code. This is also known as "black box" testing.
  2. Then, download or get from your partner, the source code of the application. Peruse through it, perform a manual code review of it, and document for your findings.

If you find anything glaring, then go back to the application and attack it. This is also known as "white box" testing. For example, after you read the source code and you are suspicious that you can perform a Cross-Site Scripting attack, go ahead an try it out.

Q: Is it necessary to use all the programs listed above?

A: No.

Q: I'm using a scanning tool and it returned a number of possible vulnerabilities. Does it mean that the vulnerabilities actually exist?

A: It could also be a false positive. You have to check in the database (in this case, ask your partner), if it went through. That is, your job is to validate the finding.

Q: I can't find any problems with my partner's application. What should I do?

A: That's nonsense. You can make security and privacy recommendations. Example: if you notice that your partner's web application uses the insecure methods, you can recommend to upgrade application to use more secure options.

Q: Do I have to actually fix my partner's code?

A: No.