Coursework Assignment Brief Academic year and term:2020/21 – Semester-1, Year 2Module title:Web Application SecurityModule code:QAC020N256SModule Convener:Masum BillahLearning outcomes assessed within this piece of work as agreed at the programme level meetingOn successful completion of this module students will be able to Develop dynamic web pages for practical business purposes using server-side technologies.Critically evaluate and compare … Continue reading “Web Application Security | My Assignment Tutor”
Coursework Assignment Brief Academic year and term:2020/21 – Semester-1, Year 2Module title:Web Application SecurityModule code:QAC020N256SModule Convener:Masum BillahLearning outcomes assessed within this piece of work as agreed at the programme level meetingOn successful completion of this module students will be able to Develop dynamic web pages for practical business purposes using server-side technologies.Critically evaluate and compare web server-side technologies and their deployment.Identify and test common security threats associated with PHP.Demonstrate implementation of usability and accessibility standards in designing of dynamic website.Design and test web database systems with clear justification of the design route taken. Type of assessment: Design and develop Source Code, Evaluation reportAssessment deadline:Both Design and Develop Source Code and Evaluation report should be submitted via Turnitin. Part A submission on 12/04/2021 (no later than 2pm). Part B submission on 05/05/2021 (no later than 2pm). Specific submission requirements: MS Word document formatKind reminder: it is student’s full responsibility to ensure that all assignments are submitted on the correct link and on time (before 2pm). Failure to do so may result in CAPPED Resit and/or failure of the module. Assignment Tasks Expectations: This assignment comprises of two components: Part A is the design and development of a database driven website for an estate company (worth 60% of the total marks of the Module), and Part B is an evaluation report of 1500 words consisting of reflective commentary on Part A (worth 40% of the total marks of the Module). Both components are one piece of work and will assess all the module learning outcomes. Rationale: Today, we entrust websites more and more with our personal information. Although this makes our everyday lives more convenient, it also engenders more vulnerabilities as it increases the frequency of hacking attacks and security breaches. These attacks can range from serious, large scale attacks to simple ones. In light of those incidents and vulnerabilities, this assignment will encourage you to apply web application security concepts and identify web application vulnerabilities by analysing web application components such as PHP and MySQL. (Note: web links to most prominent web application security incidents and attacks will be posted on Moodle). Assignment support: Although you will be guided throughout the module by your lecturer, you can get extra support for your assignment, just make an appointment with the ACE team for any language, research and study skills issues and/or talk, email the Computing ACE expert for any advice on how to approach your assignment. REMEMBER: they are not here to give you the answers! Specific requirements for the assignment: Adobe brackets or Sublime text-2 and HTML, CSS, JavaScript on the client-side and PHP, MySQL, Mutillidae. Alternatively, you can use a complete server-side technology (e.g –Xampp/Lampp) which includes Apache web server, PHP and MySQL. Scenario: Background: Young generation of today are using the Internet more than ever. They view the Internet as positive impact on society and a robust and effective systems of communication which play a crucial role in our daily activities and development of identities. On the other hand, the applications of the Internet is also often used negatively. Many people as well as organisations are the targets of bullying via the Internet resulting in profit loss and psychological trauma. Unable to understand and unaware of tactics used, vulnerable individuals are prone to being targeted. As a result, the previously safe environment of the Internet is now becoming a source of confusion and anxiety. This rapid development has increased cybersecurity breaches with one in four businesses detecting a breach during their last few months of operations. The nature of these attacks means that many businesses may not know their IT systems have been breached and how to handle/avoid these attacks. ProHunt is a real-estate company based in London. The company deals with renting, buying and selling houses, flats and shops in the area. They are committed to providing the highest levels of customer care. The company employs two directors, two receptionists, four office administrators, two consultants, and seven field workers. To be competitive and remain at cutting edge, The ProHunt intends to launch its business online offering one stop estate services. This new website aims to offer their customers convenience, more control and speedy signup for their services to avoid manual administrative tasks and long queues at their office counters. Although the claim is to improve customer services, securing customer data and eliminating the security risks, it is obvious that it will also help the estate company save costs and remain financially robust. Task A Now “The ProHunt” has contacted SmartTech (Leading IT Company) to go through a security check for the website to project their presence and their service online. The client will also use the website as a contact tool with its customers. You have been assigned to carry out a security analysis of your client website and backend SQL database attached to a website containing possible security vulnerabilities. Your answer can make reasonable assumptions. Deliverables The web/application security testing must include the following components: Note: Task A is worth 60% of the overall module. In order to understand the concepts of Web Application Securities, one needs to experience its implications on a vulnerable Web App. The marking criteria are outlined below. Setup Fully Functional Vulnerable Web Application: PHPMySQLApache Server Setup Mutillidae with all the above services enabled on XAMMP. Please provide step-by-step walk through of your implementation including setup of your backend SQL database using screen shots and appropriate description of each step. Web Application Security Testing: Nmap scanning Perform port scanning of web application target (Mutillidae) and elaborate each step clearly mentioning the details of open ports and its relevance to identify the running protocol. Wireshark Sniffing Perform data/traffic capture on target web application (Mutillidae). Please provide the detailed analysis of captured data (Protocol identified at different TCP/IP layers). SQL Injection using SQLMAP Perform SQL injection attack on Mutillidae using SQLMAP. Elaborate the findings of your attack and include the name of detected database version, database names, database compromised data etc. Web Application Security Model: FirewallsIDS/IPSEncryption Elaborate the use of above technology to strengthen the security of web applications and discuss integration of these as effective security mechanism. Marking Criteria Task A DescriptionMarksDevelop a plan to make a fully functional website. Provide step-by-step walk through of your implementation including setup of your backend SQL database using screen shots and appropriate description of each step. 10 Setup a server side (PHP) vulnerable web/application connected to backend database (MySQL) for security testing in local environment either using XAMPP/WAMP or Virtual Box. Provide step-by-step configuration details of environment setup (XAMPP/WAMP, Virtual Box etc), web/application and back-end database. 15 Scanning: You must use a network scanner like Nmap to perform a scan on target web/application and include your findings, open ports, applications, operating systems, etc. 15 Sniffing: You must demonstrate the use of Wireshark sniffer to perform capture of web application session data. This will require to capture session data between your browser and website/server either remote or local. 20 Use SQLMAP to identify and exploit the SQL injection vulnerabilities based on the findings from the above steps. You must elaborate the steps of SQL Injection vulnerability exploited. 25 Design and implement an appropriate web security model for the given scenario by provisioning and utilising appropriate web security standards/technology. 15Total100 Part B: Reflection and Evaluation Report Tasks: Your second task is to write a self-reflective commentary about your journey from looking at website design, development, testing to deployment of techniques. Having created your website project, you should now write a self-reflective commentary (1500 words) critically reflecting on your project. Your commentary should critically explore the work you have done to produce your project using relevant literature. Task B is worth 40% of the overall module. Deliverables Your commentary should show evidence of your reading and research and use Harvard referencing. Your reflection is a chance to look back on what you have down and to revisit key design and technical decisions you have made. In other words, were they the right decisions or would you have done something differently? Your focus should primarily be on the critical aspect of what you have done in assignment 1. Produce a 1500-word reflective report on your project and submit it via Turnitin. Word count Don’t exceed the word count You need to state the word count at the end of their assignment. 10% over the stated word count is permitted without penalty. If students go beyond this, then there is a penalty of 5 marks for every additional 10% beyond the word count with a maximum of a 15 mark penalty reduction. There is no specific penalty for submitting a piece which is below the word count, but please note that shorter submissions are likely to attract poorer grades, particularly where they lack the necessary depth of analysis. How do you calculate the word count? The word count includes the Abstract or Executive Summary and all in-text citations. The word count does not include the Bibliography and Appendices. Please note that Appendices should only include supplementary information, not information critical to your work. Marking Criteria Task B DescriptionMarksReport Structure, Introduction, Critical appraisal and Conclusion/action plan20Critical evaluation and comparison of web server-side technologies25Critically appraise web application security threats and evaluate their impact on business operations.25 Future enhancements with the benefit of your experience on the project. What else could you have been done to evaluate/identify web application vulnerabilities? Critical discussion on web application security tools used during the security testing.25Referencing and references5Total100 Assignment Preparation Guidelines All components of the assignment (text, diagrams. code etc.) must be submitted in one-word file (hand-written text or hand drawn diagrams are not acceptable), any other accompanied materials such as simulation file, code, etc. should be attached in appendices.All coursework related material must be attached as an appendix in the final coursework/assignment document, including any computer generated document, software/ code, simulation file etc..Standard and commonly used fonts such as Arial or Calibri should be used, font size must be within the range of 10 to 15 points including the headings, body text and any texts within diagrams,Spacing should not be less than 1.5Pay attention to the Assessment criteria / Marking scheme, the work is to be concise and technical. Try to analyse, compare and evaluate rather than simply describe.All figures, screenshots, graphs and tables must be numbered and labelled.For written assignments, you need to state the word count at the end of the assignment. 10% over the stated word count is permitted without penalty. If you go beyond this, then there is a penalty of 5 marks for every additional 10% beyond the word count. The word count includes the Abstract or Executive Summary and all in-text citations. The word count excludes the Reference list and Appendices. Please note that Appendices should only include supplementary information not provided in the main text. There is no specific penalty for submitting a piece which is below the word count, however, please note that shorter written submissions are likely to attract poorer grades, particularly where they lack the necessary depth of analysis.The assignment should be logically structured, the core of the report may start by defining the problem / requirements, followed by the proposed solution including a detailed discussion, analysis and evaluation, leading to implementation and testing stage, finally a conclusion and/or personal reflection on learning.Screenshots without description / discussion does not constitute understanding and maybe assumed irrelevant.Please access your Turnitin Test Page via Dashboard or My modules to learn more about Turnitin and to make a test submission and to check your similarity score before uploading your final versionYou will have opportunity to submit as many times to your module pages as you want up until the deadline.Make sure to make backup of your work to avoid distress for loss or damage of your original work, use multiple storage media (memory stick, cloud and personal computer). Assignment support: Although you will be guided throughout the module by your lecturer, you can get extra support for your assignment, just make an appointment with the ACE team for any language, research and study skills issues and/or talk, email the Computing ACE expert for any advice on how to approach your assignment. REMEMBER: they are not here to give you the answers!Students will have access to formative feedback on each task set in workshops, thereby helping them to refine their approach to the summative tasks that have been set.However, please note that this feedback is limited to recommendations on improving your work. Lecturers will not confirm any grades or marks.The feedback can be one-to-one or in-group sessions.Finally, you will receive summative feedback within a month of your final submission. Please note that the summative feedback and the grades remain provisional until approval from the exam board. Plagiarism and Collusion Academic Integrity is a matter that is taken very seriously at the university and student should endeavour to enforce it to all their assignments. In other words, plagiarism, collusion (working and copying from another student) and ghost writing will not be tolerated and will result in sanctions eg: capped resit, suspension and/or withdrawal. Correct referencing demonstrates your academic and professional skill. It also reflects your academic honesty and thus to some degree protects you from cases of plagiarism.You must write your assignment in your own words to demonstrate your understanding of the subject.Material from external sources must be properly referenced and cited within the text using the Harvard referencing system,You are required to follow the Roehampton Harvard referencing System. Please refer to Moodle for the latest version of the Roehampton Harvard referencing System or ask the library.An accompanying list of references (on a separate page and in alphabetical order) must also be provided as part of your work.Plagiarism: occurs when you present somebody else’s work as your own, whether that work is an idea, graphs, figure, illustration or a pure text. Be it available in web, textbooks, reports or otherwise.Wholesale use of text and diagrams from websites is considered as plagiarism when not acknowledged.Plagiarism will be dealt with firmly and can lead to serious consequences and disciplinary procedures.Collusion: occurs when copying another student’s report (Text, Figures, Illustration etc..) and submitting it as your own. Submission and Late submission Students must ensure that their work is satisfactory and fit for purpose, both academically and free from any plagiarism.Students must use an appropriate coversheet, which must include the subject, assignment title, student ID and date-time.Tutors, lecturers and module convenors do not have the authority to extend the submission deadlines nor the exam time/date. In case of any mitigating circumstances, students should fill in the relevant mitigating circumstances form(s) available at —— Student Services —–The marking of the assignment will be capped at 40 if the assignment is submitted within first seven (7) days after the deadline, any submission late than 7 days will be ignored.The Submission File should be appropriate to the topic/title of the assignment and contain the Student ID, (Student ID-Assignment title)All coursework related material must be attached as an appendix in the final coursework/assignment document, including any computer generated document, software/ code, simulation file etc..
