SIT382 System Security

Assignment 2
Trimester 2/2016

Objectives:

- To apply skills and knowledge acquired throughout the semester in exploiting

web application security loopholes and the techniques to fix such loopholes.
- To demonstrate ability to use WebGoat and other attack tools (available in
BackTrack) to test security exploits on web applications and victim OS.
- To gain experience in understanding a given set of specifications (this
document)
- To gain experience in documenting every application exploit that was tested.

Due Date: 5pm, Friday, September 30, 2016.

Delays caused by computer downtime cannot be accepted as a valid reason for late
submission without penalty. Students must plan their work to allow for both scheduled
and unscheduled downtime.

Submission Details:
You must submit an electronic copy of all your assignment solution either in Portable
Document Format (.pdf) or Microsoft Word (.doc/.docx) via CloudDeakin. You can
also submit your work as a compression file (.zip/.zipx/.rar).

It is the student's responsibility to ensure that they understand the submission

instructions. If you have ANY difficulties ask the Tutor for assistance (prior to
the submission date).

Copying and Plagiarism:

This is an individual assignment. You are not permitted to work as a part of a

group when writing this assignment.

Plagiarism is the use of other people's words, ideas, research findings or information
without acknowledgement, that is, without indicating the source. Plagiarism is
regarded as a very serious offence in Western academic institutions and Deakin
University has procedures and penalties to deal with instances of plagiarism.

In order not to plagiarise, all material from all sources must be correctly referenced. It
is necessary to reference direct quotes, paraphrases and summaries of sources,
statistics, diagrams, images, experiment results and laboratory data anything taken
from sources.

When plagiarism is detected, penalties are strictly imposed. The Universitys policy
on plagiarism can be viewed, online, at http://www.deakin.edu.au/students/study-
support/referencing/plagiarism.

Page 1 of 5
Problem Statement

You are required to perform security exploits specified in this document using the
WebGoat J2EE web application package as well as BackTrack GNU/Linux
distribution. You can download WebGoat and any appropriate tools from the SIT382
CloudDeakin course website to complete this assignment. You can use
BackTrack in Deakin Cloud or Kali. You can also use other non-commercial (free
and open-source) tools (e.g. Wireshark) to help you complete this assignment.
You are not to use any commercial security-related or hacking products for this
assignment.

There are two parts to this assignment. Part A will require you to use more than one
exploit to attack a web application and different techniques to defend against such
attacks, while part B is to test your understanding of a particular exploit and how to
counter that exploit.

You are required to answer the questions by implementing the solutions. These
implementations need to be documented in detail. The document must have step-by-
step details on what you did to solve the question, including any script code used to
answer the requirements. You are also required to provide images (screen dumps) to
show the key steps leading to your solution. These images can be taken using print-
screen or any other screen capture method. These images must be embedded in the
document with appropriate labelling and descriptions.

The document format is flexible, but it must be neatly organised. You should clearly
indicate what part and question you are attempting to complete. You should also
clearly indicate the stage your solution is used for.

This document will be graded for your assignment marks. This assignment will be
30% of your final mark. You are required to submit this document using
CloudDeakin in either MS Word format (.doc and .docx) or Portable Document
Format (.pdf) or compression formats (.zip, .rar, etc.). These files must not be
password protected.

NOTE: Failure to meet any of these requirements will result in loss of marks.
Omission of script codes or images showing the key steps leading to the
completion of the given tasks will result in severe loss of marks.

Part A (50%)

Part A provides 50% of the assignment marks. This question is compulsory. You are
required to complete the WebGoat Challenge question. The tasks to be completed are
provided in WebGoat. You need to click on the Challenge menu item and complete
the THREE (3) stages in this challenge. This part of the assignment requires you to
know different application penetration testing techniques to complete successfully. It
is highly recommended that you reinstall WebGoat before you begin to test the
challenge.

An important note to remember is that you are attacking the WebGoat web server
from a client (web browser). This means that the attacker does not have any write
Page 2 of 5
access to the server, thus you will not be able to modify the java source files to
complete the Challenge questions. Any modification of the WebGoat source code to
complete the Challenge questions will result in loss of marks.

In part A, you are required to include the following:

Description of the scenarios in each stage compared them to the real-world

cases.
Theoretical description of the possible methods to do attacks. You may list
the possible methods that you may use to test the problems posed by the
question of each stage?
Brief explanation on the method used (a couple of paragraphs) followed by
details on how you used that method to test the problem. What are the results
of those methods that you actually tested the problems posed by the question
of each stage? (Analyse either successful or unsuccessful methods)
Any script code and images (screen dumps) showing the successful
completion of the tasks in this part of the assignment.

Part B (50%)

Part B provides 50% of the assignment marks. This question is compulsory. You
need to select and choose ONE (1) of the many tools available in BackTrack,
including tools which we have not covered but you may find interesting. For example,
we only cover a few tools in the SET framework, but you may experiment with those
even further. There is a variety of support documents available online, and a detailed
Wiki about BackTrack.

Once chosen, you will provide a complete run through the activity, you will provide
screenshots of how the attack was run and also an evaluation of the data collected
from the victim machine, such as the traffic data from the Wireshark.

In part B, you are required to include the following:

A theoretical description of the attack. If for example you decide to run a spear
phishing attack, you will need to provide around 300-500 words describing the
attack in details.
A complete, beginning to end, tutorial like presentation of the attack, without
omitting any variables, including screen shots, this could look like a manual or
a journal.
An evaluation of the data if collected from Wireshark, in any given case, you
will be able to find some pattern, like a redirection or uncommon data between
clients in social network attacks, or the effect of a spoofing mechanism, you
should describe in a fairly simplistic way, what has happened.
Provide a short evaluation and considerations of the attack, this can and should
also include defence mechanisms which can be used to defend from such an
attack. Please note, this should be done thoroughly and present various
mechanisms and description of which you consider to be better and why. For
example, for a DoS attack where the attacker has spoofed the IP address, there

Page 3 of 5
 are a number of mechanisms to trace back the attacker, you should include
most of them.

Additional Requirements and Notes

1. The Faculty electronic plagiarism declaration must be included in a separate file

(see plagiarism information on CloudDeakin).
2. Your report must contain the following information.
o Your name and student ID number
o Which assignment question you attempted.
o A detailed explanation on how you arrive at the solution, including
embedded images and any scripting code to show the completeness of
your solution.
3. Any text or code adapted from any source must be clearly labelled and referenced.
You should clearly indicate the start and end of any such text/code.
4. All assignments must be submitted through CloudDeakin. Assignments will not
be accepted through any other manner without prior approval. Students should
note that this means that email and paper based submissions will ordinarily be
rejected.
5. Submissions received after the due date are penalised at a rate of 10% (out of the
full mark) per day, no exceptions. Late submission after 3 days would be
penalised at a rate of 100% out of the full mark. Close of submissions on the due
date and each day thereafter for penalties will occur at 05:00 pm Australian
Eastern Time (UTC +10 hours). Students outside of Victoria should note that
the normal time zone in Victoria is UTC+10 hours.
6. No extension will be granted.
7. Assignments are normally marked and returned within two weeks of the due date.
Assignments that are submitted after the due date will normally take longer to
mark and return.

Page 4 of 5
 Marking Scheme

Student:
ID:

Part A: 50%
a. Adequate description of problem: 6%
b. Description of technique used to solve question: 12%
c. At least 6 relevant screen shots of steps taken to solve the problem: 6%
d. Appropriate usage of scripting language in the correct place: 8%
e. Successful completion of Stage 1: 5%
f. Successful completion of Stage 2: 5%
g. Successful completion of Stage 3: 8%
Comment:
Part B: 50%
a. Adequate description of problem: 6%
b. Description of technique used to attack victim: 12%
c. At least 6 relevant screen shots of steps taken to attack victim: 6%
d. Successful completion of the attack: 8%
e. Evaluation of the collected data: 8%
f. Evaluation and considerations of defend mechanisms: 10%
Comment:
Total (of 100%)

Page 5 of 5