Help Round 2

profileccurnick
Lab8-LAMPZap.pdf
Home>Computer Science homework help>Help Round 2

1

LAMP ZAP Analysis and Mitigation

Overview

For this final lab you will use the tools and techniques used throughout the course to analyze and

mitigate and document the results of two LAMP applications. The first application you will analyze is the

e-Commerce application you wrote during week 7. For the second application you will use a prototype

UMUC tutoring LAMP application which you will need to install on your VM and then run the analysis, fix

all vulnerabilities and document the results.

In both applications, you are expected to perform the scanning using ZAP research the results, identify

and fix software vulnerabilities, and professionally document your process and final results.

Learning Outcomes:

At the completion of the lab you should be able to:

1. Set-up and run the UMUC tutor application on your VM

2. Conduct automated and manual analysis on two different LAMP applications

3. Identify, prioritize and repair software vulnerabilities found in the LAMP applications

4. Document the process and findings of your Web application security analysis

Lab Submission Requirements:

After completing this lab, you will submit a word (or PDF) document that meets all of the requirements in

the description at the end of this document. In addition, the modified and software vulnerability mitigated

LAMP applications and all associated files should be submitted.

Virtual Machine Account Information

Your Virtual Machine has been preconfigured with all of the software you will need for this class. The

default username and password are:

Username : umucsdev

Password: umuc$d8v

MySQL Username: sdev_owner

MySQL password: sdev300

MySQL database: sdev

Tutor Application user accounts:

Tutor1 username: tutor1

Tutor1 password: t123

Tutor2 username: tutor2

Tutor2 password: t234

Tutor3 username: tutor3

Tutor3 password: t345

Part 1 – Set-up and Run the UMUC tutor application on your VM

2

In this exercise you will create and populate the database tables for the LAMP application and install the

PHP and associated files on your VM. The application is fully functional (but definitely not safe). You

need to perform a few steps to make sure it is working properly on your VM.

1. From the Week 8 code examples, download the UMUCTutorLamp.zip file.

2. Move the file to your VM and unzip using the right mouse click – extract to here option. Note a

folder names week8 will be provided that has two subfolders.

3

3. Create a folder named Week8 in your /var/www/html folder that will store the Tutor

application.

4. Copy the contents from the Tutor folder to the /var/www/html/week8 location. Note: just copy

the folders and files inside of the Tutor folder not the Tutor folder itself.

4

5. From the location where you unzipped your UMUCTutorLamp.zip file, open the SQL folder.

Open the createTables.sql file.

6. Launch MySQL and use the sdev database. Important: make sure you use the sdev database so

the tables are created in the correct area.

5

7. Carefully, copy and paste the SQL lines into the mysql prompt. You can do this in batches. Look

for any errors as you are running the scripts.

8. Verify your tables are correctly created and populated by querying the tables and verifying data

exists in the tables where you inserted data.

6

9. Open up your Browser and Launch the tutor app (localhost/week8/)

10. Click on the Create a new CSTutor account to create a student account. Click Submit after you

have entered your test account data.

7

11. Login using the account information you just created and request two or three tutoring sessions

using the form.

8

9

10

12. Login in as one of the tutors to see what students have sessions. (Use

localhost/week8/tlogin.html) Note: tutor1 tutors, CMIS102, tutor2 tutors CMIS141/242 and

tutor3 tutors CMIS320. Be sure to login as the tutor corresponding to the tutor sessions you

created.

11

13. Click on “Show all my Sessions” to view all of the available sessions for this tutor.

14. Continue to experiment the Tutor to learn most of the functionality.

Lab submission details:

As part of the submission for this Lab, you will run manual and automatic attacks on your week7 lab

submission and the UMUC Tutor app on your VM.

12

Be sure to work on each application separately and document the issues you found and the process you

used to fix the applications. You can provide the findings in one well-organized document. You should

work to eliminate all alerts in both applications and clearly document specifically what you did to

mitigate each issue.

Create screen captures demonstrating your process and results. Each screen capture should be fully

described. The document should be well-organized and include a table of contents, page numbers,

figures, and table numbers. The writing style should be paragraph style with bullets used very sparingly

to emphasize specific findings. In other words, this should be a professional report and demonstrate

mastery of writing.

Be sure your process includes both manual and automatic scanning. When researching your security

alerts, be sure to document your references using APA style. You should show both before and after fix

vulnerability reports. Your final vulnerability report should show zero alerts and vulnerabilities.

For your deliverables, you should submit a zip file containing your word document (or PDF file) along

with the before and after application files. (including sql and parameter files) If you made changes to

your VM environment (e.g. security.conf, apache2.conf, php.ini) you should provide those files also.

Include your full name, class number and section and date in the document.

Grading Rubric:

Attribute Meets Does not meet

ZAP attacks 6 points Runs manual attacks on your week7 lab submission. (1 point) Runs automatic attacks on your week7 lab submission. (1 point) Runs manual attacks on the tutor app. (1 point) Runs automatic attacks on the tutor app. (1 point) Eliminates all alerts in both applications. (2 points)

0 points Does not run manual attacks on your week7 lab submission. Does not run automatic attacks on your week7 lab submission. Does not run manual attacks on the tutor app. Does not run automatic attacks on the tutor app. Does not eliminate all alerts in both applications

Documentation and submission

4 points Submits a word or PDF document that includes screen captures demonstrating your process and results. Screen captures are fully described. Clearly documents specifically what you did to mitigate each issue. (2 points)

0 points Does not submit a word or PDF document that includes screen captures demonstrating your process and results. Screen captures are not fully described. Does not clearly document specifically what you did to mitigate each issue.

13

Document is well-organized and includes a table of contents, page numbers, figures and table numbers. The writing style should be paragraph style with bullets used very sparingly to emphasize specific findings. Document your references using APA style. (1 point) Includes all before and after application files in zip format. (sql and parameter files, security.conf, apache2.conf, php.ini) (1 point)

Document is not well-organized or includes a table of contents, page numbers, figures or table numbers. The writing style is not paragraph style with bullets used excessively. APA style references not used. Does not include all before and after application files in zip format. (sql and parameter files, security.conf, apache2.conf, php.ini)