Find out where html injection is possible

Assignment Help Computer Engineering
Reference no: EM131239034

Web Application Development & Testing Assignment

Background

Most of our University websites are not easily viewable on smart devices with small screen (e.g. iOS, Android smartphones). As an example, access the Computer Science website from a smartphone, and see how easy or difficult it is to read and navigate.

One of the good approaches to fix this is to have an architecture that (1) separates information content from the user-interface and to make available the information as a service (e.g., a web service), and (2) allows thin-client applications for smart devices that consume the information service and render the information in such a way that fits well within the interface paradigm of the device. This is an approach taken by a number of news media providers (such as BBC and New Zealand Herald) to provide a richer experience to the readers. The application constructed in (2) could be a native device application or it could be a responsive web application.

This assignment looks at the separation of data from the UI, and how such data can be consumed and used in the end-user application. It also looks at potential vulnerabilities that could arise from such architecture.

A number of data sources that supply key information content that is part of the Computer Science site have been identified. These enable separation of information content from the presentation.

A brief description of data sources is given below.

1. Get a detailed list of staff. The URL https://unidirectory.auckland.ac.nz/rest/search?orgFilter=COMSCI provides this list.

Photos of staff could be obtained from URLs of the form https://unidirectory.auckland.ac.nz/people/imageraw/{PersonID}/{Imageid}/small where the two IDs are available in the staff list. Address book entries for each staff, in the form of a vCard , can be obtained from https://unidirectory.auckland.ac.nz/people/vcard/{PersonID} .

2. Get a feed of current news items. The URL https://www.cs.auckland.ac.nz/en/about/newsandevents/news/_jcr_content/par/newssearchlist.rss provides this feed.

3. Get a feed of current notices. The URL https://www.cs.auckland.ac.nz/en/about/newsandevents/notices/_jcr_content/par/noticesearchlist.rss provides this feed.

Firstly, study these data sources carefully. You can experiment with the sources using your browser and the inspection tools available with your browser (e.g., Web Inspector on Safari, Firebug on Firefox, or F12 on Chrome and Edge). You may also wish to use HTTP debugging tools such as Fiddler, W3Client (MacOS) , and W3Client (Windows).

A Test Application

Firstly, attempt to build a simple test application consuming the staff list data source. We want you to observe the difficulties in doing this. Read the Wiki article https://en.wikipedia.org/wiki/Cross-origin_resource_sharing and how this article relates to the difficulties you may have faced.

Test Application - Take 2

You are now asked to experiment with the data sources provided at https://redsox.tcs.auckland.ac.nz/ups/UniProxService.svc/help. Attempt to build another test application consuming the staff list data source that is available at https://redsox.tcs.auckland.ac.nz/ups/UniProxService.svc/people. We want you to observe that consuming this source within the application does not pose any issue. Now see what makes this data source different from the one you tried earlier.

Computer Science @ UoA

Logo

You are now ready to build the real application consuming the data offered at https://redsox.tcs.auckland.ac.nz/ups/UniProxService.svc/help. You may use the University logo available at https://redsox.tcs.auckland.ac.nz/ups/logo.svg as you deem fit.

The application should consist of the following logical sections:

Home

This section contains an introduction to the Department. You could borrow the brief introduction provided at the Department's current page. For example, "Welcome to New Zealand's leading computer science department. We pride ourselves on the excellence of our staff and our students."

Courses

This is a list of courses offered by the Department.

People

This is a list of staff at the Department. You would want to provide means of contacting them (such as email and telephone) as well as the means to save details in an address book (the vCards come handy here).

News

This is the current news feed.

Notices

This is the current notices feed.

Guest Book

This is where guest comments can be entered into.

The application should use a combination of HTML, CSS, and JavaScript. Where the application needs icons, please consider using an appropriate Unicode character that represents the icon. For example, please note that the "caution" sign used earlier in this page is a Unicode character.

Please note the following requirements.

1. You are not allowed to use any libraries or frameworks.

2. The application should contain a single HTML page (named index.html).

3. The application should work on any modern browser (such as Chrome, Safari and Edge).

4. The application should work on small screen devices. You can test this by making your browser window narrow.

This application, unlike the two test applications, is marked, and should be of a professional quality to attract full marks. You should pay attention to details.

Pen-Testing the Service

It is thought the back-end service has a number of vulnerabilities. You are now asked to penetration-test the service, and report your findings.

For this part, you will use local versions of the service and its associated data. To this end, please download copies of the service and the data first. You also need to change the Web.config file in the service to point to the local location where you have saved the data.

1. Service . Unzip the service and place it in a folder such as H:\335\A2\Svc.

2. Data . Unzip the data and place it in a folder such as H:\335\A2\Data.

3. Now open the Web.config file in the service folder, and find the line:

<add key="DataRoot" value="C:/WebRoot/CSUoAData/"/>

Change the value field to reflect where you saved the data. E.g., H:\335\A2\Data\CSUoAData\.

4. You can then run the service using the following command line:

"C:\Program Files\IIS Express\IISExpress.exe" /port:8188 /path:H:\335\A2\Svc

If you want to run IIS Express from a Windows PowerShell, you need to prefix the above command line with & so that PowerShell can execute the command (rather than treating the command as a string):

& "C:\Program Files\IIS Express\IISExpress.exe" /port:8188 /path:H:\335\A2\Svc

Test the service by pointing your browser to https://localhost:8188/UniProxService.svc/help . The browser is expected to show the API doc you saw at https://redsox.tcs.auckland.ac.nz/ups/UniProxService.svc/help .

If the data and the service are correctly set up, you should see a detailed list of staff when you point your browser to https://localhost:8188/UniProxService.svc/people. Note that the output shown in the browser may not be well-formatted, and in this case, you may wish to view the source to see the unformatted content.

You may find it helpful to use the UI you have already developed. This will require you to change the service URI base in your UI implementation to point to the local service. While you may use the UI for the initial testing, you must verify your observations using a standalone HTTP tool such as W3Client .

Please answer the questions below. Where the questions require you to write an HTTP request, please provide a URL if the request is GET; if the request is POST, please provide the complete request including all the necessary HTTP headers.

1. Find out where HTML injection is possible within the service APIs. Write down an HTTP request that inserts an arbitrary image into the UI you constructed.

2. Write down an HTTP request that leads to executing a user-supplied script.

3. Find out where SQL injection is possible within the service APIs. Write down an HTTP request that injects SQL.

Assignment -

https://www.cs.auckland.ac.nz/courses/compsci335s2c/assignments/mano/.

Reference no: EM131239034

Questions Cloud

How are problem-solving and decision-making related : How are problem-solving and decision-making related? How are they similar? How are they different? Your answer should include a brief definition of each. Briefly discuss the three different types of decisions associated with both.
Which ethical system closely matches personal ethical system : Which ethical system is most prevalent in the United States today? In the World? Explain your answer and support your response. Which ethical system most closely matches your personal ethical system? Why do you think so? Explain your position.
United states consists of two interacting spheres or realms : The health care system in the United States consists of two interacting spheres or realms - exchange and production." Do you agree or disagree with this quote?(agree) As best you can, fully explain your answer.
What will happen to his total expenditures on doctor visits : Suppose that Rob consumes V_0 doctor visits each year at a price of P_0. If the price elasticity of demand for doctor visits is -0.25, what will happen to the number of visits Rob consumes if the price increases by 5%? What will happen to his total e..
Find out where html injection is possible : Find out where HTML injection is possible within the service APIs. Write down an HTTP request that inserts an arbitrary image into the UI you constructed
Develop a graphic organizer for each given strategy : Develop a graphic organizer for each strategy: Design the graphic organizers around the informational text and strategy. Include a summary of 1-2 paragraphs for each graphic organizer explaining how you would use this in a comprehension lesson.
Major reasons that more organizations : 1. What do you think are the major reasons that more organizations are recruiting a diverse workplace? 2. What are some ways recruiting would be done differently to attract African Americans? Latinos?Women?
Explain why status can be viewed as an ordinal variable : A criminologist studying capital punishment was interested in identifying whether certain social, economic, and political attributes of a country related to its use of the death penalty. She gathered data from public sources on 194 countries, reco..
Educational regulation and accreditation : What are the differences between educational regulation and accreditation, and what are each looking for? Who is responsible for each function? Finally, what is the role of the U.S. Department of Education in overseeing higher education?

Reviews

Write a Review

Computer Engineering Questions & Answers

  Mathematics in computing

Binary search tree, and postorder and preorder traversal Determine the shortest path in Graph

  Ict governance

ICT is defined as the term of Information and communication technologies, it is diverse set of technical tools and resources used by the government agencies to communicate and produce, circulate, store, and manage all information.

  Implementation of memory management

Assignment covers the following eight topics and explore the implementation of memory management, processes and threads.

  Realize business and organizational data storage

Realize business and organizational data storage and fast access times are much more important than they have ever been. Compare and contrast magnetic tapes, magnetic disks, optical discs

  What is the protocol overhead

What are the advantages of using a compiled language over an interpreted one? Under what circumstances would you select to use an interpreted language?

  Implementation of memory management

Paper describes about memory management. How memory is used in executing programs and its critical support for applications.

  Define open and closed loop control systems

Define open and closed loop cotrol systems.Explain difference between time varying and time invariant control system wth suitable example.

  Prepare a proposal to deploy windows server

Prepare a proposal to deploy Windows Server onto an existing network based on the provided scenario.

  Security policy document project

Analyze security requirements and develop a security policy

  Write a procedure that produces independent stack objects

Write a procedure (make-stack) that produces independent stack objects, using a message-passing style, e.g.

  Define a suitable functional unit

Define a suitable functional unit for a comparative study between two different types of paint.

  Calculate yield to maturity and bond prices

Calculate yield to maturity (YTM) and bond prices

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd