SOLUTION: Web Application Security | My Assignment Tutor

Coursework Assignment Brief Academic year and term:2020/21 – Semester-1, Year 2Module title:Web Application SecurityModule code:QAC020N256SModule Convener:Masum BillahLearning outcomesassessed within thispiece of work as agreedat the programme levelmeetingOn successful completion of this module students will be ableto1. Develop dynamic web pages for practical businesspurposes using server-side technologies.2. Critically evaluate and compare web server-sidetechnologies and their deployment.3. Identify and test common security threats associated withPHP.4. Demonstrate implementation of usability and accessibilitystandards in designing of dynamic website.5. Design and test web database systems with clearjustification of the design route taken.Type of assessment:Design and develop Source Code, Evaluation reportAssessment deadline:Both Design and Develop Source Code and Evaluation reportshould be submitted via Turnitin.Part A submission on 12/04/2021 (no later than 2pm).Part B submission on 05/05/2021 (no later than 2pm).Specific submission requirements: MS Word documentformatKind reminder: it is student’s full responsibility to ensure that all assignments aresubmitted on the correct link and on time (before 2pm). Failure to do so may result inCAPPED Resit and/or failure of the module. Assignment TasksExpectations: This assignment comprises of two components: Part A is the design anddevelopment of a database driven website for an estate company (worth 60% of the totalmarks of the Module), and Part B is an evaluation report of 1500 words consisting ofreflective commentary on Part A (worth 40% of the total marks of the Module). Bothcomponents are one piece of work and will assess all the module learning outcomes.Rationale: Today, we entrust websites more and more with our personal information.Although this makes our everyday lives more convenient, it also engenders morevulnerabilities as it increases the frequency of hacking attacks and security breaches.These attacks can range from serious, large scale attacks to simple ones. In light of thoseincidents and vulnerabilities, this assignment will encourage you to apply web applicationsecurity concepts and identify web application vulnerabilities by analysing web applicationcomponents such as PHP and MySQL.(Note: web links to most prominent web application security incidents and attacks will be postedon Moodle).Assignment support:Although you will be guided throughout the module by your lecturer, you can get extrasupport for your assignment, just make an appointment with the ACE team for anylanguage, research and study skills issues and/or talk, email the Computing ACE expertfor any advice on how to approach your assignment. REMEMBER: they are not here togive you the answers!Specific requirements for the assignment: Adobe brackets or Sublime text-2 and HTML,CSS, JavaScript on the client-side and PHP, MySQL, Mutillidae. Alternatively, you can usea complete server-side technology (e.g –Xampp/Lampp) which includes Apache webserver, PHP and MySQL.Scenario:Background: Young generation of today are using the Internet more than ever. They viewthe Internet as positive impact on society and a robust and effective systems ofcommunication which play a crucial role in our daily activities and development ofidentities. On the other hand, the applications of the Internet is also often used negatively.Many people as well as organisations are the targets of bullying via the Internet resultingin profit loss and psychological trauma. Unable to understand and unaware of tactics used,vulnerable individuals are prone to being targeted. As a result, the previously safeenvironment of the Internet is now becoming a source of confusion and anxiety. This rapiddevelopment has increased cybersecurity breaches with one in four businesses detectinga breach during their last few months of operations. The nature of these attacks meansthat many businesses may not know their IT systems have been breached and how tohandle/avoid these attacks.ProHunt is a real-estate company based in London. The company deals with renting,buying and selling houses, flats and shops in the area. They are committed to providingthe highest levels of customer care. The company employs two directors, two receptionists,four office administrators, two consultants, and seven field workers. To be competitive andremain at cutting edge, The ProHunt intends to launch its business online offering one stopestate services. This new website aims to offer their customers convenience, more controland speedy signup for their services to avoid manual administrative tasks and long queuesat their office counters. Although the claim is to improve customer services, securingcustomer data and eliminating the security risks, it is obvious that it will also help the estatecompany save costs and remain financially robust.Task ANow “The ProHunt” has contacted SmartTech (Leading IT Company) to go through asecurity check for the website to project their presence and their service online. The clientwill also use the website as a contact tool with its customers.You have been assigned to carry out a security analysis of your client website and backendSQL database attached to a website containing possible security vulnerabilities. Youranswer can make reasonable assumptions.DeliverablesThe web/application security testing must include the following components:Note:Task A is worth 60% of the overall module. In order to understand the concepts of WebApplication Securities, one needs to experience its implications on a vulnerable Web App.The marking criteria are outlined below.Setup Fully Functional Vulnerable Web Application:• PHP• MySQL• Apache ServerSetup Mutillidae with all the above services enabled on XAMMP. Please provide stepby-step walk through of your implementation including setup of your backend SQLdatabase using screen shots and appropriate description of each step.Web Application Security Testing:• Nmap scanningPerform port scanning of web application target (Mutillidae) and elaborate each stepclearly mentioning the details of open ports and its relevance to identify the runningprotocol.• Wireshark SniffingPerform data/traffic capture on target web application (Mutillidae). Please provide thedetailed analysis of captured data (Protocol identified at different TCP/IP layers).• SQL Injection using SQLMAPPerform SQL injection attack on Mutillidae using SQLMAP. Elaborate the findings ofyour attack and include the name of detected database version, database names,database compromised data etc.Web Application Security Model:• Firewalls• IDS/IPS• EncryptionElaborate the use of above technology to strengthen the security of web applications anddiscuss integration of these as effective security mechanism.Marking Criteria Task A DescriptionMarksDevelop a plan to make a fully functional website.Provide step-by-step walk through of your implementation including setup ofyour backend SQL database using screen shots and appropriate descriptionof each step.10Setup a server side (PHP) vulnerable web/application connected to backenddatabase (MySQL) for security testing in local environment either usingXAMPP/WAMP or Virtual Box. Provide step-by-step configuration details ofenvironment setup (XAMPP/WAMP, Virtual Box etc), web/application andback-end database.15Scanning: You must use a network scanner like Nmap to perform a scan ontarget web/application and include your findings, open ports, applications,operating systems, etc.15Sniffing: You must demonstrate the use of Wireshark sniffer to performcapture of web application session data. This will require to capture sessiondata between your browser and website/server either remote or local.20Use SQLMAP to identify and exploit the SQL injection vulnerabilities based onthe findings from the above steps. You must elaborate the steps of SQLInjection vulnerability exploited.25Design and implement an appropriate web security model for the givenscenario by provisioning and utilising appropriate web securitystandards/technology.15Total100 Part B: Reflection and Evaluation ReportTasks:Your second task is to write a self-reflective commentary about your journey fromlooking at website design, development, testing to deployment of techniques.Having created your website project, you should now write a self-reflective commentary(1500 words) critically reflecting on your project. Your commentary should critically explorethe work you have done to produce your project using relevant literature.Task B is worth 40% of the overall module.DeliverablesYour commentary should show evidence of your reading and research and use Harvardreferencing. Your reflection is a chance to look back on what you have down and to revisitkey design and technical decisions you have made. In other words, were they the rightdecisions or would you have done something differently? Your focus should primarily beon the critical aspect of what you have done in assignment 1.Produce a 1500-word reflective report on your project and submit it via Turnitin.Word countDon’t exceed the word countYou need to state the word count at the end of their assignment. 10% over the stated word countis permitted without penalty.If students go beyond this, then there is a penalty of 5 marks for every additional 10% beyond theword count with a maximum of a 15 mark penalty reduction.There is no specific penalty for submitting a piece which is below the word count, but pleasenote that shorter submissions are likely to attract poorer grades, particularly where they lack thenecessary depth of analysis.How do you calculate the word count?The word count includes the Abstract or Executive Summary and all in-text citations. The wordcount does not include the Bibliography and Appendices.Please note that Appendices should only include supplementary information, not informationcritical to your work.Marking Criteria Task B DescriptionMarksReport Structure, Introduction, Critical appraisal and Conclusion/action plan20Critical evaluation and comparison of web server-side technologies25Critically appraise web application security threats and evaluate their impact onbusiness operations.25Future enhancements with the benefit of your experience on the project. Whatelse could you have been done to evaluate/identify web applicationvulnerabilities? Critical discussion on web application security tools used duringthe security testing.25Referencing and references5Total100 Assignment Preparation Guidelines• All components of the assignment (text, diagrams. code etc.) must be submitted in one-word file(hand-written text or hand drawn diagrams are not acceptable), any other accompanied materialssuch as simulation file, code, etc. should be attached in appendices.• All coursework related material must be attached as an appendix in the final coursework/assignmentdocument, including any computer generated document, software/ code, simulation file etc..• Standard and commonly used fonts such as Arial or Calibri should be used, font size must be withinthe range of 10 to 15 points including the headings, body text and any texts within diagrams,• Spacing should not be less than 1.5• Pay attention to the Assessment criteria / Marking scheme, the work is to be concise and technical.Try to analyse, compare and evaluate rather than simply describe.• All figures, screenshots, graphs and tables must be numbered and labelled.• For written assignments, you need to state the word count at the end of the assignment. 10% overthe stated word count is permitted without penalty. If you go beyond this, then there is a penalty of5 marks for every additional 10% beyond the word count. The word count includes the Abstract orExecutive Summary and all in-text citations. The word count excludes the Reference list andAppendices. Please note that Appendices should only include supplementary information notprovided in the main text. There is no specific penalty for submitting a piece which is below the wordcount, however, please note that shorter written submissions are likely to attract poorer grades,particularly where they lack the necessary depth of analysis.• The assignment should be logically structured, the core of the report may start by defining theproblem / requirements, followed by the proposed solution including a detailed discussion, analysisand evaluation, leading to implementation and testing stage, finally a conclusion and/or personalreflection on learning.• Screenshots without description / discussion does not constitute understanding and maybe assumedirrelevant.• Please access your Turnitin Test Page via Dashboard or My modules to learn more about Turnitinand to make a test submission and to check your similarity score before uploading your final version• You will have opportunity to submit as many times to your module pages as you want up until thedeadline.• Make sure to make backup of your work to avoid distress for loss or damage of your original work,use multiple storage media (memory stick, cloud and personal computer).Assignment support:• Although you will be guided throughout the module by your lecturer, you can get extra support foryour assignment, just make an appointment with the ACE team for any language, research and studyskills issues and/or talk, email the Computing ACE expert for any advice on how to approach yourassignment. REMEMBER: they are not here to give you the answers!• Students will have access to formative feedback on each task set in workshops, thereby helpingthem to refine their approach to the summative tasks that have been set.• However, please note that this feedback is limited to recommendations on improving your work.Lecturers will not confirm any grades or marks.• The feedback can be one-to-one or in-group sessions.• Finally, you will receive summative feedback within a month of your final submission. Please notethat the summative feedback and the grades remain provisional until approval from the exam board.Plagiarism and Collusion• Academic Integrity is a matter that is taken very seriously at the university and student shouldendeavour to enforce it to all their assignments. In other words, plagiarism, collusion (working andcopying from another student) and ghost writing will not be tolerated and will result in sanctions eg:capped resit, suspension and/or withdrawal. Correct referencing demonstrates your academic andprofessional skill. It also reflects your academic honesty and thus to some degree protects you fromcases of plagiarism.• You must write your assignment in your own words to demonstrate your understanding of thesubject.• Material from external sources must be properly referenced and cited within the text using theHarvard referencing system,• You are required to follow the Roehampton Harvard referencing System. Please refer to Moodlefor the latest version of the Roehampton Harvard referencing System or ask the library.• An accompanying list of references (on a separate page and in alphabetical order) must also beprovided as part of your work.• Plagiarism: occurs when you present somebody else’s work as your own, whether that work is anidea, graphs, figure, illustration or a pure text. Be it available in web, textbooks, reports or otherwise.• Wholesale use of text and diagrams from websites is considered as plagiarism when notacknowledged.• Plagiarism will be dealt with firmly and can lead to serious consequences and disciplinaryprocedures.• Collusion: occurs when copying another student’s report (Text, Figures, Illustration etc..) andsubmitting it as your own.Submission and Late submission• Students must ensure that their work is satisfactory and fit for purpose, both academically and freefrom any plagiarism.• Students must use an appropriate coversheet, which must include the subject, assignment title,student ID and date-time.• Tutors, lecturers and module convenors do not have the authority to extend the submissiondeadlines nor the exam time/date. In case of any mitigating circumstances, students should fill in therelevant mitigating circumstances form(s) available at —— Student Services —–• The marking of the assignment will be capped at 40 if the assignment is submitted within first seven(7) days after the deadline, any submission late than 7 days will be ignored.• The Submission File should be appropriate to the topic/title of the assignment and contain theStudent ID, (Student ID-Assignment title)• All coursework related material must be attached as an appendix in the final coursework/assignmentdocument, including any computer generated document, software/ code, simulation file etc..