|
T. Andrew Yang Email: yang@uhcl.edu Web page: http://cse.uhcl.edu/yang Tel.: (281) 283-3835 |
Last updated: 4/8:
Lab 3 updated 3/30:
Labs 2 and 3 published 2/11:
lab 1 published 2/5/2020:
updated hands-on labs information 1/22/2020: first published |
|
|
|
CSCI 5234 Web Security
Note: Total points: 100 1. (5 pts) Visit the class discussion group (see the syllabus page).
Throughout this class, you are responsible for regularly visiting the
discussion group to find recent announcements, reminders, and discussions.
Send a brief message to the discussion group to introduce yourself (including your full name as the subject
line) and one item you most desire to learn in this class. 2.
A refresher of Java Security: Study the source
codes SignatureAuthenticationClient.java and SignatureAuthenticationServer.java,
both of which are available at http://sce.uhcl.edu/yang/teaching/proJavaSecurityCode.html. 1) (15
pts) Run the programs and hand in appropriate
screen snapshots to show the execution results. Add a statement to
the beginning of the programs such that the first output line shows your full
name. Attach the screen output as part of this assignment. 2) (10
pts) When receiving a digital signature from the
client, how does the authentication server verify the
client's signature? That is, how would the server know that the signature is
really the client's? 3. Study
the textbooks and/or applicable web sites to find answers for the following questions.
Online glossaries such as those listed in the syllabus page may also be used. Note: It
is required that you clearly identify the source(s) of your information. 1) (5
pts) What is a ‘man-in-the-middle attack’? 2) (5
pts) What is a ‘replay attack’? 3) (5
pts) Is a replay attack a type of man-in-the-middle
attack? Justify your answer. 4) (5
pts) What is ‘pagejacking’? 5) (5
pts) What is a ‘session hijacking
attack’? 6) (5
pts) What is ‘web access management’? 7) (5
pts) What is ‘end-to-end security’? 8) (5
pts) Explain what 'input sanitization' is
and why it is critical for secure web operations. 9) (5
pts) What is ‘out-of-band
communication’? 10) (5
pts) What is 'two-factor authentication'? Why is
using more than one factor important in authenticating a user? 11) (5
pts) What is a 'server certificate'? 12) (5
pts) How is a 'server certificate' used in
providing authentication in a Web-based application? 13) (5
pts) What is a ‘payment gateway’? 14) (5
pts) In a networked computer system, there exist
two general forms of authentication service: data origin
authentication service and peer entity authentication service.
Explain what they are and their relationships (common features
vs differences). Go to the Index Note: This
is an individual project. The
goal of this project is for you to visit refereed publications (as well as
some relevant web sites) to perform a detailed investigation of a chosen
research topic. The topic you choose should be aligned with your chosen
team project topic, by investigating related literature and resources about
that topic. If you need suggestions when choosing the topic, feel free to
discuss with the instructor. Each person should
create and maintain a distinct discussion thread in the discussion group, by
responding to the instructor's post named 'Research projects should be posted
here". Progress of your project should be updated weekly in that
thread. How well you maintain your discussion thread is part of the grading. A benefit of this
approach is that both the instructor and your classmates will be able to view
your progress and, if applicable, share their thoughts and comments.
Items
to be submitted:
A
preliminary abstract of your presentation topic is due early in the semester.
Check the syllabus for the due date. Each student should publish his/her
abstract in the class discussion board by the due date. The abstract should be
1-2 pages long, and contains the following sections: (1)
Class name
(i.e., CSCI5234 Web Security) (2)
Your name and
an email address that you check regularly (that is, at least once a day) (3)
Topic of your
investigation (4)
General
description of the topic (5)
Why is the
topic related to web security? (6)
Survey of
related work Discuss at least three
articles related to your chosen topic. VERY Important: Make sure you properly cite the work of other researchers or
professionals. Visit http://sce.uhcl.edu/yang/citing.htm
for more information about cited references. Warning: Missing
or improper cited references in your abstract and final report will result in
poor score for your research project. (7)
A tentative
outline (agenda) of your final report. That is, the sections/subsections that
you plan to include in the final paper.
1.
The written
report should include your findings about the chosen topic. 2.
A draft of the
final report should be published in the class discussion group to
solicit comments from your classmates and the instructor. Warning: Missing
or improper cited references in your abstract and final report will result in
poor score for this assignment. 3.
The following
is a suggested outline of your final report:
i. Title
ii.
Your name (and
email address)
iii.
An abstract
(50-100 words)
iv.
Introduction to
the topic
v. Significance of the chosen topic with respect to
the security of web-based applications
vi.
Survey of
related work
vii.
Implemented
demonstrations, if applicable.
viii.
Your findings
ix.
Future work:
research ideas and projects possibly related to the topic
x. Conclusion
xi.
Appendix (if
any) Go to the Index Note about hands-on labs: Note:
The lab may be completed by an individual person or by a team of
two persons. A team can consist no more than two persons. -
You are welcome to use your own laptops to implement the hands-on labs
(by setting up virtual boxes and virtual hosts on it). -
For those who prefer to use university computers, some of the computers
in the D201 lab are reserved for this class. -
To get access to the D201 lab, contact the Computer Science secretary
to set up access privileges. Preparation for the
hands-on labs: Go over the following documents before starting your hands-on
labs. Lab 1 Cross Site Request Forgery (CSRF) Total: 100 points Complete the CSRF lab from the SEED project.
Description of the lab,
additional information, and other resources about the lab can be found on the
SEED project website; see https://seedsecuritylabs.org/Labs_16.04/Web/. NOTE: For this lab, follow the instructions as given in the Description page
from https://seedsecuritylabs.org/Labs_16.04/Web/Web_CSRF_Elgg/. A local copy of the Description can be found here.
In addition, more information
about the specific lab can be found in the textbook by Dr. Du.
Check
out these supplementary notes
about implementing this lab.
-
Evaluation of the lab:
A.
(60%)
You will earn 15% for each of the tasks
successfully implemented and demonstrated to the TA.
B.
(40%)
Hand in a detailed lab report to describe what you
have done and what you have observed. Please provide details using
Firefox’s add-on tools, Wireshark, and/or screenshots. You also need to
provide explanation to the observations that are interesting or surprising.
Go to the Index Lab 2 Cross-site Scripting (CSS) Total: 100 points Complete the CSS lab from the SEED project.
Description of the lab,
additional information, and other resources about the lab can be found on the
SEED project website; see https://seedsecuritylabs.org/Labs_16.04/Web/. NOTE: For this lab, follow the instructions as given in the Description page
from https://seedsecuritylabs.org/Labs_16.04/Web/Web_XSS_Elgg/. A local copy of the Description can be found here.
In addition, more information
about the specific lab can be found in the textbook by Dr. Du.
Check
out these supplementary notes about implementing
this lab.
-
Evaluation of the lab:
C.
(70%)
You will earn 10% for each of the tasks
successfully implemented and demonstrated to the TA.
D.
(30%)
Hand in a detailed lab report to describe what you
have done and what you have observed. Please provide details using
Firefox’s add-on tools, Wireshark, and/or screenshots. You also need to
provide explanation to the observations that are interesting or surprising.
Go to the Index Lab 3 SQL Injection Total: 100 points Complete the SQL Injection lab from the SEED
project.
Description of the lab,
additional information, and other resources about the lab can be found on the
SEED project website; see https://seedsecuritylabs.org/Labs_16.04/Web/. NOTE: For this lab, follow the instructions as given in the Description page
from https://seedsecuritylabs.org/Labs_16.04/Web/Web_SQL_Injection/. A local copy of the Description can be found here.
In addition, more information
about the specific lab can be found in the textbook by Dr. Du.
Check
out these supplementary notes about
implementing this lab.
-
Evaluation of the lab:
E.
(80%)
You will earn 10% for each of the tasks/sub-tasks
successfully implemented and demonstrated to the TA.
F.
(20%)
Hand in a detailed lab report to describe what you
have done and what you have observed. Please provide details using
Firefox’s add-on tools, Wireshark, and/or screenshots. You also need to
provide explanation to the observations that are interesting or surprising.
Go to the Index |
|
||