Find out where html injection is possible within the


Web Application Development & Testing Assignment

Background

Most of our University websites are not easily viewable on smart devices with small screen (e.g. iOS, Android smartphones). As an example, access the Computer Science website from a smartphone, and see how easy or difficult it is to read and navigate.

One of the good approaches to fix this is to have an architecture that (1) separates information content from the user-interface and to make available the information as a service (e.g., a web service), and (2) allows thin-client applications for smart devices that consume the information service and render the information in such a way that fits well within the interface paradigm of the device. This is an approach taken by a number of news media providers (such as BBC and New Zealand Herald) to provide a richer experience to the readers. The application constructed in (2) could be a native device application or it could be a responsive web application.

This assignment looks at the separation of data from the UI, and how such data can be consumed and used in the end-user application. It also looks at potential vulnerabilities that could arise from such architecture.

A number of data sources that supply key information content that is part of the Computer Science site have been identified. These enable separation of information content from the presentation.

A brief description of data sources is given below.

1. Get a detailed list of staff. The URL https://unidirectory.auckland.ac.nz/rest/search?orgFilter=COMSCI provides this list.

Photos of staff could be obtained from URLs of the form https://unidirectory.auckland.ac.nz/people/imageraw/{PersonID}/{Imageid}/small where the two IDs are available in the staff list. Address book entries for each staff, in the form of a vCard , can be obtained from https://unidirectory.auckland.ac.nz/people/vcard/{PersonID} .

2. Get a feed of current news items. The URL https://www.cs.auckland.ac.nz/en/about/newsandevents/news/_jcr_content/par/newssearchlist.rss provides this feed.

3. Get a feed of current notices. The URL https://www.cs.auckland.ac.nz/en/about/newsandevents/notices/_jcr_content/par/noticesearchlist.rss provides this feed.

Firstly, study these data sources carefully. You can experiment with the sources using your browser and the inspection tools available with your browser (e.g., Web Inspector on Safari, Firebug on Firefox, or F12 on Chrome and Edge). You may also wish to use HTTP debugging tools such as Fiddler, W3Client (MacOS) , and W3Client (Windows).

A Test Application

Firstly, attempt to build a simple test application consuming the staff list data source. We want you to observe the difficulties in doing this. Read the Wiki article https://en.wikipedia.org/wiki/Cross-origin_resource_sharing and how this article relates to the difficulties you may have faced.

Test Application - Take 2

You are now asked to experiment with the data sources provided at https://redsox.tcs.auckland.ac.nz/ups/UniProxService.svc/help. Attempt to build another test application consuming the staff list data source that is available at https://redsox.tcs.auckland.ac.nz/ups/UniProxService.svc/people. We want you to observe that consuming this source within the application does not pose any issue. Now see what makes this data source different from the one you tried earlier.

Computer Science @ UoA

Logo

You are now ready to build the real application consuming the data offered at https://redsox.tcs.auckland.ac.nz/ups/UniProxService.svc/help. You may use the University logo available at https://redsox.tcs.auckland.ac.nz/ups/logo.svg as you deem fit.

The application should consist of the following logical sections:

Home

This section contains an introduction to the Department. You could borrow the brief introduction provided at the Department's current page. For example, "Welcome to New Zealand's leading computer science department. We pride ourselves on the excellence of our staff and our students."

Courses

This is a list of courses offered by the Department.

People

This is a list of staff at the Department. You would want to provide means of contacting them (such as email and telephone) as well as the means to save details in an address book (the vCards come handy here).

News

This is the current news feed.

Notices

This is the current notices feed.

Guest Book

This is where guest comments can be entered into.

The application should use a combination of HTML, CSS, and JavaScript. Where the application needs icons, please consider using an appropriate Unicode character that represents the icon. For example, please note that the "caution" sign used earlier in this page is a Unicode character.

Please note the following requirements.

1. You are not allowed to use any libraries or frameworks.

2. The application should contain a single HTML page (named index.html).

3. The application should work on any modern browser (such as Chrome, Safari and Edge).

4. The application should work on small screen devices. You can test this by making your browser window narrow.

This application, unlike the two test applications, is marked, and should be of a professional quality to attract full marks. You should pay attention to details.

Pen-Testing the Service

It is thought the back-end service has a number of vulnerabilities. You are now asked to penetration-test the service, and report your findings.

For this part, you will use local versions of the service and its associated data. To this end, please download copies of the service and the data first. You also need to change the Web.config file in the service to point to the local location where you have saved the data.

1. Service . Unzip the service and place it in a folder such as H:\335\A2\Svc.

2. Data . Unzip the data and place it in a folder such as H:\335\A2\Data.

3. Now open the Web.config file in the service folder, and find the line:

Change the value field to reflect where you saved the data. E.g., H:\335\A2\Data\CSUoAData\.

4. You can then run the service using the following command line:

"C:\Program Files\IIS Express\IISExpress.exe" /port:8188 /path:H:\335\A2\Svc

If you want to run IIS Express from a Windows PowerShell, you need to prefix the above command line with & so that PowerShell can execute the command (rather than treating the command as a string):

& "C:\Program Files\IIS Express\IISExpress.exe" /port:8188 /path:H:\335\A2\Svc

Test the service by pointing your browser to https://localhost:8188/UniProxService.svc/help . The browser is expected to show the API doc you saw at https://redsox.tcs.auckland.ac.nz/ups/UniProxService.svc/help .

If the data and the service are correctly set up, you should see a detailed list of staff when you point your browser to https://localhost:8188/UniProxService.svc/people. Note that the output shown in the browser may not be well-formatted, and in this case, you may wish to view the source to see the unformatted content.

You may find it helpful to use the UI you have already developed. This will require you to change the service URI base in your UI implementation to point to the local service. While you may use the UI for the initial testing, you must verify your observations using a standalone HTTP tool such as W3Client .

Please answer the questions below. Where the questions require you to write an HTTP request, please provide a URL if the request is GET; if the request is POST, please provide the complete request including all the necessary HTTP headers.

1. Find out where HTML injection is possible within the service APIs. Write down an HTTP request that inserts an arbitrary image into the UI you constructed.

2. Write down an HTTP request that leads to executing a user-supplied script.

3. Find out where SQL injection is possible within the service APIs. Write down an HTTP request that injects SQL.

Assignment -

https://www.cs.auckland.ac.nz/courses/compsci335s2c/assignments/mano/.

Request for Solution File

Ask an Expert for Answer!!
Computer Engineering: Find out where html injection is possible within the
Reference No:- TGS01633034

Expected delivery within 24 Hours