marco
teaching » 2012 » secure programming » homework 3
Menu:
Feed
Homework 3
The deadline for this homework assignment is Sunday, March 17 2013, at 11:59pm UTC.
Web application auditing
Your task in this homework is to identify vulnerabilities in a real-world web application and to write a report describing your findings. The application you will analyze is confichair, a conference management system.
Download the application's source code from here. Decrypt the archive file by running gpg -d confichair.tar.gpg > confichair.tar (the password will be communicated on the mailing list). Unpack the archive by running tar xvf confichair.tar. You will obtain two archives: confichair.tar.bz2 (a Ruby on Rails application) and securityapplet.tar.bz2 (a Java applet). Both the Ruby on Rails application and the Java applet are in scope for this security audit (that is, find any vulnerabilities in both of them!)
Important: please do not redistribute or publish the application.
Before the assignment deadline, you will have to submit through the School's submission system one file named report.pdf containing a report of your findings. There is no fixed format for the report, but you should follow these guidelines:
- The report should describe all the vulnerabilities you have found, and should include enough details to replicate each issue and to fix it. Feel free to include sample exploit code, if you have it, and concrete suggestions for fixes.
- If you don't find vulnerabilities (or a certain class of vulnerabilities), describe the technique(s) you used to ascertain that indeed there is no vulnerability.
- Keep the report's length to a maximum of about 10 pages (10pt font size and reasonable margins). Send me an email if you find more vulnerabilities than can be described in this space.
You are free to use any tool or technique that you may find useful for this assignment. As always, everything you submit must be your own work (or be appropriated referenced).