Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: daixieit

COMP3911 Secure Computing

Coursework 2

This assignment concerns vulnerabilities in a software application, and how they can be fixed.  You should be able to do the work on any machine that has the Java Development Kit installed.

This assignment is to be done in groups of three. You will need to let me know if you cannot form a group as soon as possible, by sending an email on [email protected].  Each member of the group will receive the same mark for the assignment at the discretion of the module leader under certain circumstances.

This assigment is worth 15% of your overall grade.

Scenario

You are provided with the source code of a Java application in patients.zip.  This is a crude attempt by an inexperienced developer to implement part of a patient records system.  The idea is that GPs in a surgery can login to the application and search for details of patients that they are currently treating.

The application uses Jetty as a built-in web server.  Request processing is done by a Java Servlet.  Data storage is provided by an SQLite 3 database, and queries of the database are done using JDBC . HTML pages are generated using the Freemarker template engine.

Tasks

Analysis of Security Flaws

1.  Examine the database used by the application.  Amongst other things, this will give you the login credentials and patient details that you need to test the application.

You can do this on the command line using the sqlite3 tool:  the  .schema command will tell you the structure of the database and you can issue SQL queries at the command prompt to examine its contents. You can exit the tool with .quit.

If you prefer a tool with a GUI, there are many available—e.g., DB Browser .

2.  Compile and run the application from the command line using

./gradlew run

(On Windows, omit the leading ./)

3.  Visit http://localhost:8080 in a web browser to interact with the application.  Use the information obtained in Step 1 to explore different paths through the application.

4.  Experiment with the web interface to identify any security issues. Make a note of precisely what the

issues are and how you identified them. Collect evidence such as screenshots where appropriate.

5.  Study the source code of the application if necessary to gain further insight into the application’s security flaws.

6.  Create a report using a word processor or other documentation preparation tool of your choice. Give your report the title ‘COMP3911 Coursework 2’ and include the details of all authors (name, username and id).

Under a section heading ‘Analysis of Flaws’, write down a list of three flaws you have found. Be brief here; identify each of the three flaws with a single short sentence.

Then discuss each of the three flaws in more detail. For each flaw, create a suitable subsection heading, under which you should describe the nature of the flaw and how you discovered it, providing a suitable example or evidence (e.g., screenshot) in each case.

The entire ‘Analysis of Flaws’ section should be no more than two A4 pages in length, including figures used as evidence. The contents of this section are worth a total of 15 marks.

Implementation of Security Fixes

1.  For each of the flaws identified in the “Analysis of Security Flaws” section, modify the application (and, if necessary, the database) to fix your chosen flaws.

2.  Test the application to make sure that it still works and that it is no longer vulnerable.

3.  Add a new section to your report, with the heading ‘Fixes Implemented’. Write a short (maximum of one A4 page) summary of the changes that you have made, explaining in each case how it has fixed the problem.

Your fixes and the written summary of them are together worth a total of 15 marks.

Deliverables

You need to submit (i) your report and (ii) your modified application.

The report should not exceed three A4 pages in length, excluding any cover sheet.  It must include the names of all contributors of the group.  It must have the section headings indicated previously.  It must be submitted as a PDF file:  do NOT submit a Word document or any other editable document format.  The PDF file must be named report.pdf and it must be put in the same directory as the build.gradle file.

Note: you will lose marks if you don’t satisfy all of these requirements!

When you have put report.pdf in the correct location, enter the following command:

./gradlew submission

This will create a Zip archive named cwk2.zip, containing everything that needs to be submitted.

Deliverables

Submit the file cwk2.zip, via the link provided for this purpose in Minerva.  Note:  The person submitting needs to also “tag” the other members of the group.

Submission Deadline

The deadline for submission is Wednesday 13th December 2023 at 1000.