work on webgoat, file attached
Assignment-2 SIT382 System Security Assignment 2 Trimester 2/2018 Objectives: - To apply skills and knowledge acquired throughout the semester in exploiting web application security loopholes and the techniques to fix such loopholes. - To demonstrate the ability to use WebGoat and other attack tools (available in BackTrack or Kali or other open-sourced tools) to test security exploits on web applications and the victim OS. - To gain experience to understand a given set of specifications (this document) - To gain experience in documenting every application exploit that was tested. Due Date: 5 pm, Friday, September 28, 2018. Delays caused by computer downtime cannot be accepted as a valid reason for late submission without penalty. Students must plan their work to allow for both scheduled and unscheduled downtime. Submission Details: You must submit an electronic copy of all your assignment solution in Microsoft Word (.doc/.docx) via CloudDeakin. You can also submit your work as a compression file (.zip/.zipx/.rar). It is the student's responsibility to ensure that they understand the submission instructions. If you have ANY difficulties, ask the Tutor for assistance (prior to the submission date). Copying and Plagiarism: This is an individual assignment. You are not permitted to work as a part of a group when writing this assignment. Plagiarism is the use of other people's words, ideas, research findings or information without acknowledgement, that is, without indicating the source. Plagiarism is regarded as a very serious offence in Western academic institutions and Deakin University has procedures and penalties to deal with instances of plagiarism. In order not to plagiarise, all material from all sources must be correctly referenced. It is necessary to reference direct quotes, paraphrases and summaries of sources, statistics, diagrams, images, experiment results and laboratory data – anything taken from sources. The University’s policy on plagiarism can be viewed, online, at http://www.deakin.edu.au/students/study- support/referencing/plagiaris http://www.deakin.edu.au/students/study- Introduction In this assignment, you are expected to perform security exploits specified in this document and design a strategic plan to improve the system security status. using the WebGoat J2EE web application package as well as tools in the BackTrack/Kali GNU/Linux distribution. You can download WebGoat, BrackTack and any appropriate (free and open-source) tools (e.g. Wireshark) from the URL SIT382 CloudDeakin course provided or from the tools vendor’s official website to complete this assignment. The only difference is the official websites will provide the latest released version with some new features and revision but maybe not stable. It is your choice to work on which version that is suited for your computer OS and hardware environments. No limitations on either Mac or Windows etc. NOTE: You are not to use any commercial security-related or hacking products for this assignment. There are two parts to this assignment: • Part A will require you finish the “Challenge” in the WebGoat, while is to test your understanding of a particular exploit and how to counter that exploit. • Part B needs you to do a simple research about the IDS concept. Due to you have done the Part A and know how to attack a Website use the known vulnerability, you should need to do some research about the IDS for defending those attacks on Part A in future security knowledge learning. In Part A, you are required to answer the questions by implementations. These implementations need to be documented in detail. The document must have step-by- step details on what you did to solve the question, including any script codes used to answer the requirements. You are also required to provide images (screen dumps) to show the key steps leading to your solution. These images can be taken using print- screen or any other screen capture method. These images must be embedded in the document with appropriate labelling and descriptions. In Part B, you need to address some given research questions about the IDS. In addition, the document format must be neatly organised and have the proper heading and subheading for the assessor’s easy remarking. It is suggested to clearly indicate which part and what question you are attempting to complete. It is suggested to clearly indicate the stage your solution is used for. This overall document will be graded as your assignment marks. This assignment will be 30% of your final mark. You are required to submit this document using CloudDeakin in either MS Word format (.doc and .docx) or Portable Document Format (.pdf) or compression formats (.zip, .rar, etc.). These files must not be password protected. NOTE: Failure to meet any of these requirements will result in loss of marks. The omission of script codes or images showing the key steps leading to the completion of the given tasks will result in severe loss of marks. Part A (80%) You are required to complete the WebGoat Challenge question. The tasks to be completed are provided in WebGoat. You need to click on the Challenge menu item and complete the THREE (3) stages in this challenge. This part of the assignment requires you to know different application penetration testing techniques to complete successfully. An important note to remember is that you are attacking the WebGoat web server from a client (web browser). This means that the attacker does not have any write access to the server, thus you will not be able to modify the java source files to complete the Challenge questions. Any modification of the WebGoat source code to complete the Challenge questions will result in loss of marks. Once you have finalised the Challenge, now, it is time for you to launch a new attack (different from the attack in Challenge) to WebGoat page or other local or networked system. Two options provided here for you to finalise this section, you can take either one of the options: Option 1: If you select to attack the WebGoat page, your WebScarab with the tampering process works in your computer, then, this will suffice. Option 2: Alternatively, if your WebGoat does not work in your computer, you are given the option to attack other web system, however, you need to select and choose ONE (1) of the many tools available in the open-sourced domain, including tools which we have not covered but you may find interesting, for example, Nmap (http://sectools.org/tag/port-scanners/ ). Once chosen, a detailed description should be attached, including the reason for selecting this tool, the applied scenario, and supporting theory in behind. You will also provide a complete run through the activity by providing screenshots of how the attack was launched and also an evaluation of the data collected from the victim machine, such as the traffic packet data from the Wireshark. In Part A, you are required to include the following: • Description of the scenarios in each stage, including the comparison and analysis against real-world cases. • Theoretical description of the possible methods on launching attacks. You may list the possible methods that you may use to test the problems posed by the question of each stage? • A brief explanation of the method used (a couple of paragraphs) followed by details on how you used that method to test the problem. What are the results of those methods that you actually tested the problems posed by the question of each stage? (Analyse either successful or unsuccessful methods) • Any script codes and images (screen dumps) showing the successful completion of the tasks in this part of the assignment. For the new attack that you will launch - • A theoretical description of the attack. For example, a spear phishing attack, you will provide around 300-500 words describing the attack in detail. • A complete, beginning to end, tutorial-like the presentation of the attack, http://sectools.org/tag/port-scanners/ without omitting any variables, including screenshots, this could look like a manual or a journal. • An evaluation of the data if collected from Wireshark, in any given case, you will be able to find some pattern, like a redirection or uncommon data between clients in social network attacks, or the effect of a spoofing mechanism, you should describe in a fairly simplistic way, what has happened. • Provide a short evaluation and considerations of the attack, this can and should also include defence mechanisms which can be used to defend from such an attack. Please note, this should be done thoroughly and present various mechanisms and description of which you consider to be better and why. For example, for a DoS attack where the attacker has spoofed the IP address, there are mechanisms to trace back the attacker, you should include most of them. Part B (20%) Part B provides 20% of assignment marks. Since this is your third year of undergraduate education in Deakin University. It is highly recommended to learn to conduct a certain level of research work and explore a topic for a project. This is valuable as you can use the way when you do your final year's project next year. In Part B, we will provide three simple research questions about the Intrusion Detection System (IDS), you need to some investigations and answer the following questions: 1. Research Question 1 (3%): What is an IDS? ( Use your own understanding after you have done some research works, cannot use the direct quotation, no more than 300 words) 2. Research Question 2 (7%): Please describe the IDS development history based on the timeline? (no more than 300 words) 3. Research Question 3 (10%): Briefly discuss IDS regarding how it can defend against those attacks on Part A? What is the main difference between the firewall and IDS, just focus on only one main difference, (do not simply list out a number of differences), use two or three sentences to discuss the difference based on your understanding? (no more than 400 words) Note: All materials from sources must be properly referenced. It is necessary to paraphrase and summarize sources, statistics, diagrams, images, experiment results and laboratory data – anything taken from sources. When misconduct is detected,