Assignment: LAMP ZAP Analysis and Mitigation
Overview
For this final lab you will use the tools and techniques used throughout the course to analyze and mitigate and document the results of two LAMP applications. The first application you will analyze is the e-Commerce application you wrote during week 7. For the second application you will use a prototype UMUC tutoring LAMP application which you will need to install on your VM and then run the analysis, fix all vulnerabilities and document the results.
In both applications, you are expected to perform the scanning using ZAP research the results, identify and fix software vulnerabilities, and professionally document your process and final results.
Learning Outcomes:
At the completion of the lab you should be able to:
1. Set-up and run the UMUC tutor application on your VM
2. Conduct automated and manual analysis on two different LAMP applications
3. Identify, prioritize and repair software vulnerabilities found in the LAMP applications
4. Document the process and findings of your Web application security analysis
Lab Submission Requirements:
After completing this lab, you will submit a word (or PDF) document that meets all of the requirements in the description at the end of this document. In addition, the modified and software vulnerability mitigated LAMP applications and all associated files should be submitted.
Virtual Machine Account Information
Your Virtual Machine has been preconfigured with all of the software you will need for this class. The default username and password are:
Username : umucsdev Password: umuc$d8v
MySQL Username: sdev_owner
MySQL password: sdev300
MySQL database: sdev
Tutor Application user accounts:
Tutor1 username: tutor1 Tutor1 password: t123 Tutor2 username: tutor2
Tutor2 password: t234
Tutor3 username: tutor3
Tutor3 password: t345
Part 1 - Set-up and Run the UMUC tutor application on your VM
In this exercise you will create and populate the database tables for the LAMP application and install the PHP and associated files on your VM. The application is fully functional (but definitely not safe). You need to perform a few steps to make sure it is working properly on your VM.
1. From the Week 8 code examples, download the UMUCTutorLamp.zip file.
2. Move the file to your VM and unzip using the right mouse click - extract to here option. Note a folder names week8 will be provided that has two subfolders.
3. Create a folder named Week8 in your /var/www/html folder that will store the Tutor application.
4. Copy the contents from the Tutor folder to the /var/www/html/week8 location. Note: just copy the folders and files inside of the Tutor folder not the Tutor folder itself.
5. From the location where you unzipped your UMUCTutorLamp.zip file, open the SQL folder. Open the createTables.sql file.
6. Launch MySQL and use the sdev database. Important: make sure you use the sdev database so the tables are created in the correct area.
7. Carefully, copy and paste the SQL lines into the mysql prompt. You can do this in batches. Look for any errors as you are running the scripts.
8. Verify your tables are correctly created and populated by querying the tables and verifying data exists in the tables where you inserted data.
9. Open up your Browser and Launch the tutor app (localhost/week8/)
10. Click on the Create a new CSTutor account to create a student account. Click Submit after you have entered your test account data.
11. Login using the account information you just created and request two or three tutoring sessions using the form.
12. Login in as one of the tutors to see what students have sessions. (Use localhost/week8/tlogin.html) Note: tutor1 tutors, CMIS102, tutor2 tutors CMIS141/242 and tutor3 tutors CMIS320. Be sure to login as the tutor corresponding to the tutor sessions you created.
13. Click on "Show all my Sessions" to view all of the available sessions for this tutor.
14. Continue to experiment the Tutor to learn most of the functionality.
Lab submission details:
As part of the submission for this Lab, you will run manual and automatic attacks on your week7 lab submission and the UMUC Tutor app on your VM.
Be sure to work on each application separately and document the issues you found and the process you used to fix the applications. You can provide the findings in one well-organized document. You should work to eliminate all alerts in both applications and clearly document specifically what you did to mitigate each issue.
Create screen captures demonstrating your process and results. Each screen capture should be fully described. The document should be well-organized and include a table of contents, page numbers, figures, and table numbers. The writing style should be paragraph style with bullets used very sparingly to emphasize specific findings. In other words, this should be a professional report and demonstrate mastery of writing.
Be sure your process includes both manual and automatic scanning. When researching your security alerts, be sure to document your references using APA style. You should show both before and after fix vulnerability reports. Your final vulnerability report should show zero alerts and vulnerabilities.