Advanced Topics in Digital Security

Objectives

- To apply skills and knowledge acquired throughout the trimester in exploiting web application security loopholes and the techniques to fix such loopholes.
- To demonstrate ability to use WebGoat to test security exploits on web applications and servers.
- To gain experience in documenting every application exploit that was tested.

Problem Statement

You are required to perform security exploits on web applications and websites. To complete this assignment, you need to select and choose FOUR of the security topics of web application security lessons specified in the WebGoat J2EE web application package, including topics and tools that we have not covered but you may find interesting. You may choose to use WebGoat and any appropriate tools from the SIT704 CloudDeakin course website to complete this assignment. You can also use other non-commercial (free and open-source) tools (e.g. WebScarab, Wireshark, w3af, metasploit) to help you complete this assignment. You are not allowed to use any commercial security-related or automated hacking products such as IBM Security AppScan for this assignment. To demonstrate your achievement of these goals, you must write a 2,000 word report.

Your report should consist of the following chapters:

1. A proper title which matches the contents of your report.

2. Your name and Deakin student number in the author line.

3. An executive summary which summarizes your findings.

(You may find hints on writing good executive summaries from http://unilearning.uow.edu.au/report/4bi1.html.)

4. An introduction chapter which lists the four vulnerabilities of your choice, the impact of these vulnerabilities, the brief summary of your findings, and the organization of the rest of your report.

5. A literature review chapter which surveys the latest academic papers regarding the four vulnera- bilities of your choice. With respect to each vulnerability, you are advised to identify and include at least two papers published by ACM and IEEE journals or conference proceedings. Your review must not simply be a summary of each paper, but rather a deep analysis of the body of work reported in the set of paper. Your aim in this part of the report is to demonstrate deep and thorough understanding of the existing body of knowledge encompassing multiple vulnerabilities of modern web applications. (Please read through the hints on this web page before writing this chapter http://www.uq.edu.au/student-services/learning/literature-review.)

6. A technical demonstration chapter which consists of fully explained screenshots when your tests were conducted. That is, you should explain the identification of your target web services or web applications, the information about the server(s), each step of the procedure of exploitation, and the results. You must prove that your tests are original.

7. A conclusions chapter which summarizes major findings of the study and indicates future work which should be conducted in the area.

8. A bibliography list of all cited papers and other resources. You must use in-text citations in Harvard style and each citation must correspond to a bibliography entry. There must be no bibliography entries that are not cited in the report. (You should know the contents from this page http://www.deakin.edu.au/students/study-support/referencing/harvard.)