/Web-security

Web application security course of most critical Web application security risks and how to protect against against vulnerabilities.

WEB APPLICATIONS SECURITY COURSE

- FALL SEMESTER ENDS 2016 NOVEMBER 25TH.  
+ EXAM DATE FOR ERASMUS 2016 11 28, CLASSROOM 311, 7.45 AM.

EVALUATION = HOMEWORK PROJECT (40%) + PRACTICAL TASKS (30%) + EXAM (30%).

HERE YOU FIND YOUR TASK RESULTS: (https://vikolt-my.sharepoint.com/personal/m_gzegozevskis_ad_viko_lt/_layouts/15/guestaccess.aspx?guestaccesstoken=Ss%2fV1SI2K7L8UnimYN4n1Mgc2N6D3uy0kRAxsiCDm4U%3d&docid=0ef88d5256c2247439a1b62b5c610f973&rev=1).

For PHP SERVER IP ADRESS: http://10.1.16.81/shared

Edit files directory address: \\MARIUS\shared

Remote desktop server address: 192.168.10.24 or 192.168.10.25. User credentials same for both servers you are already have.

HOMEWORK PROJECT. Create secure Web application using any programming language you are already known e.g. PHP, JAVA, .NET ASP, Python ect:

  • Web application should have functionallity against top 10 most common web security vulnerabilities.
  • Web application should have implemented login page. All app data should store in database e.g. MySQL. Also you should implement basic CRUD (Create, Read, Update, Delete) operations.
  • Create few roles for users e.g. Administrator - have full control access, Basic user - have less access to web page functionalitty, Guest - only can browse home page.

####PRACTICAL TASKS

Task 1 (10 points)

  • Software already installed in computer classrooms if you using personal computers you can download from software section.
  • Using OWASP Zed Attack Proxy Project (ZAP tool) try to find vulnerable website in "URL to Attack" field enter URL address and press start scan. In alerts tab you see all risks which is marked as warnings, medium and high priority risks. If you find web page with high priority risks first lecture you get bonus 10 points to your final evaluation.
  • Run A Windows Web development environment for Apache, MySQL, PHP databases and try to launch http://localhost:8888 in computer classrooms if it working try to find www/ directory and add new webpage named myFirstPage.php, open that file and add simple code line if it works run your page in browser type: (http://localhost:8888/myFirstPage.php).

Task 2 (10 points)

  • Configure Damn Vulnerable Web Application - (http://www.dvwa.co.uk/) and run in localhost using WAMP server. When you run it you need to configure security levels and change it to low, then find link XSS stored and try to create script which let you pop up window with text hello world.
  • Later create script which redirect you to your page hack.php and display fake page with same design look login form like in DVWA program and store username and password information to your data source e.g. database or textfile. Also try to implement different script where you can display ads or run audio files.

Task 3 (10 points)

  • CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) – A CAPTCHA is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot.
  • Create your own unique CAPTCHA test which should have those components: picture, text, digit, quiz ect.

Task 4 (10 points)

  • Download WGET tool (http://gnuwin32.sourceforge.net/packages/wget.htm) and first read help or documentation.
  • Using Windows operating system run command prompt add your wget tool bin directory path using command e.g. cd "C:\Program Files (x86)\GnuWin32\bin".
  • Run wget tool on command prompt call wget.exe --help read instructions and try to do some tasks.
  • Download any webpage source code using WGET tool. Finally write to text document summary what you learn to do using this tool.

Task 5 (10 points)

  • Create myFunction.php then create own unique function which secure against XSS attacks (do not use default libraries functions e.g. htmlentities()).
  • You should think how to ignore special characters in input fields, also you should implement data validation function.
  • When you prepeare to show your created unique function you should have some prepeared testing data for your myFunction.php input fields.

Extra task (10 points)

Install Wireshark packet sniffer program (https://www.wireshark.org/download.html). Try to get some sensitive data from different computer in your network e.g. e-mail message, login username and password, pictures ect.

EXAM

  • Quiz from top 10 OWASP (Open Web Application Security Project) vulnerabilities.

SOFTWARE

LECTURE NOTES

LITERATURE