Lab - PHP: Arrays, Functions and Form processing

Overview - This lab walks you through using PHP to create simple applications. PHP is popular for many Web applications, so becoming comfortable with the syntax of PHP will help you diagnose and identify potential security issues. It is not envisioned you will become an expert in PHP from this course, but you will be able to create simple Web applications; and, in the near future of this course, analyze that code for security issues.

Learning Outcomes: At the completion of the lab you should be able to:

1. Create and test PHP scripts that include Arrays

2. Create and test PHP scripts that include Functions

3. Create, and test PHP scripts to process HTML Forms

4. Compare and contrast session creating mechanisms in PHP

Part 1 - Create and test PHP scripts that include Arrays

This exercise will walk through creating a PHP script that creates, uses and manipulates arrays. We will use the gedit text editor to create the PHP file in the Virtual Machine.

Part 2 - Create and test PHP scripts that include Functions

In this exercise we will create a PHP web page that uses both existing and user-defined PHP functions. Functions are used to help organize code into sub-units to allow for code reuse and reproducible results.

Part 3 - Create and test PHP scripts to process HTML Forms

In this exercise we will create a PHP web pages that include simple forms that use get and post methods for submission of data. The first set of code below is the HTML file providing 3 textfields and a PHP get method.

Part 4 - Compare and contrast session creating mechanisms in PHP

In this exercise we will create a simple PHP page that creates and reads available cookies as well as PHP session variables. For the first session example, we will create a cookie in PHP and use a form based submission to expire the cookie.

The following guidelines should be used in your design and development:

1. The Login form should consist of fields for username, email address and password.

2. After login, a welcome message should appear providing a simple order form with at least 10 products of your choice. Be sure to include an image of the product and price.

3. Users can shop your store for up to 30 minutes before the session will expire.

4. Once all products are selected, the user should be able to checkout and pay for their purchases.

5. The payment page should display the username, email address and the products and total price of the purchases.

6. A "Purchase" button should be available to indicate the product was purchases and should generate a "Thank you" message of your choice.

7. On the Thank you message page, an option for logging out and essentially unsetting the stored sessions variables should be available and implemented.

8. Note all pages should have session timeout functionality.

Feel free to add additional HTML and PHP elements to enhance your web application. Create screen captures showing the successful running of your application. For your deliverables, you should submit a zip file containing your word document (or PDF file) with screen shots of the application running successfully along with your PHP web application file. Include your full name, class number and section and date in the document.

Lab - Introduction to OWASP ZAP

Overview - This lab walks you through using ZAP by OWASP. ZAP is a vulnerability analysis tool used to scan Web applications for possible software flaws. As an introduction to using ZAP, you will scan and interrupt http protocols in PHP code we developed in week 4. You will also run the attack scanner on code you developed in week 4.

Important: Do not attempt to use these tools against any live Web site. It is illegal to do so. You can only scan sites you have written permission to scan. You should use the virtual machine on applications you developed running on the localhost and disconnect from the Internet when running ZAP.

Learning Outcomes: At the completion of the lab you should be able to:

1. Launch ZAP and view Web sites history and input parameters

2. Use ZAP to intercept http messages and change their content to Identify possible vulnerabilities

3. Read and analyze reports produced from ZAP and prioritize and fix alerts associated with software issues

Part 1 - Launch ZAP and view Web sites history and input parameters

This exercise will walk you through Launching ZAP and allow you to become comfortable with the GUI for ZAP within your virtual machine. We will use ZAP to begin to analyze some of the PHP Web applications we created in week 4.

Part 2 - Use ZAP to intercept http messages and change their content to Identify possible vulnerabilities

One of the strong features of the ZAP tool is the ability to interrupt HTTP message and change the values in an attempt to find software flaws. In this exercise, we will use the week4 PHP web applications and demonstrate how the input parameters sent from the form can easily be changed and redirected back to the application with the new parameters.

To interrupt an HTTP transmission, you use the Break Points functionality within ZAP.

Part 3 - Read and analyze reports produced from ZAP

In this lab, we will run the automatic scanning feature of ZAP and then generate HTML Alert reports for the DemoGetForm.html and DemoPostForm.html and discuss approaches to prioritize and mitigate the issues found in each Web applications.

Lab - Introduction to MySQL

Overview - This lab walks you through using MySQL. MySQL is a relational database that can be used as part of Web and other applications. This lab serves as a primer for using MySQL and will serve as a foundation when we discuss SQL injection attacks and possible mitigations.

Learning Outcomes: At the completion of the lab you should be able to:

1. Connect to a MySQL database and show the tables within the Ubuntu virtual machine

2. Create MySQL tables containing popular data types and constraints

3. Insert, update and delete data from MySQL database tables

4. Create and execute SQL Select statements and simple joins on MySQL tables

Part 1 - Connect to a MySQL database and show the tables within the Ubuntu virtual machine

The Virtual Machine already has MySQL installed. A MySQL username has also been created along with a database to use for your applications and testing. Although there are SQL editors available, for simplicity, we will use gedit to create the MySQL scripts. To run the scripts we will just copy and paste from the editor to the MySQL prompt.

Part 2 Create MySQL tables containing popular data types and constraints

The reading for this week covered the foundations for creating and dropping tables using a variety of data types and constraints. In this exercise we will create three tables along that could be used to represent a very simple student and course registration system. The tables all have primary keys. One table provides foreign keys to the other two tables.

When creating SQL commands to be executed in MySQL, it is always recommended to prepare them in a text editor and then either run the script or copy and paste into the MySQL application. Since this isn't a course in database design, we will just copy and paste from the gedit text editor.

Part 3 - Insert, update and delete data from MySQL database tables

Once tables have been created your can insert records and then update the record or even delete the record. This exercise discusses how to use MySQL to populate and modify the records in your database. We will once again, create the database scripts using the gedit text editor.

Part 4 - Create and execute SQL Select statements and simple joins on MySQL tables

Once tables have been created and data populated, you can query the tables using the Select statement. The Select statement has many clauses, the examples below will emphasis the where and order by clauses.

Lab - LAMP Apps

Overview - This lab walks you through using Linux, Apache, MySQL and PHP (LAMP) to create simple, yet very powerful PHP applications connected to a MySQL database. For developers using Windows, the acronym becomes WAMP (Linux is replaced by Windows). The basics of inserting, updating, deleting and selecting from MySQL using PHP forms will be provided. Some "bad" security practices that lead to SQL injection vulnerabilities will be exposed as well as some techniques to mitigate these issues.

Learning Outcomes: At the completion of the lab you should be able to:

1. Insert data into a MySQL database using PHP forms

2. Query existing data in a MySQL database using PHP forms

3. Delete data from a MySQL database using PHP forms

4. Update data in a MySQL database using PHP forms

Part 1 - Insert data into a MySQL database using PHP forms

In this exercise we will create a small table in MySQL and then use a PHP form to insert collected from the user into the form. We will first use a technique very susceptible to SQL injection and then a better approach using prepared statements.

Part 2 - Query existing data in a MySQL database using PHP forms

Now that we have a form to Insert data into a table, we can expand and leverage the previous code to select from the database and display the results in an HTML table. We will also add a link to the Insert Table so we can demonstrate adding additional students.

Part 3 - Delete data from a MySQL database using PHP forms

Now that we have a form to Insert and Select data, we can continue to expand and add the delete functionality. This code shows you an approach to deleting data from a data table. Deleting data from a table can be a dangerous and often an unrecoverable event so make sure your application really requires this type of functionality.

Part 4 - Update data in a MySQL database using PHP forms

Now that we have a form to Insert, delete and Select data, we can continue to expand and add the update functionality. This code shows you an approach to updating data.

Lab - LAMP ZAP Analysis and Mitigation

Overview - For this final lab you will use the tools and techniques used throughout the course to analyze and mitigate and document the results of two LAMP applications. The first application you will analyze is the e-Commerce application you wrote during week 7. For the second application you will use a prototype UMUC tutoring LAMP application which you will need to install on your VM and then run the analysis, fix all vulnerabilities and document the results.

In both applications, you are expected to perform the scanning using ZAP research the results, identify and fix software vulnerabilities, and professionally document your process and final results.

Learning Outcomes: At the completion of the lab you should be able to:

1. Set-up and run the UMUC tutor application on your VM.

2. Conduct automated and manual analysis on two different LAMP applications.

3. Identify, prioritize and repair software vulnerabilities found in the LAMP applications.

4. Document the process and findings of your Web application security analysis.

Part 1 - Set-up and Run the UMUC tutor application on your VM

In this exercise you will create and populate the database tables for the LAMP application and install the PHP and associated files on your VM. The application is fully functional (but definitely not safe). You need to perform a few steps to make sure it is working properly on your VM.

Attachment:- Assignment Files.rar