School of Computing and Information
Systems
COMP90074: Web Security
Assignment 2
Due date: No later than 11:59pm on Sunday 10th May 2020
Weight: 12.5% Marked out of 100
Note: All challenges have a flag in the format: flag{something_here}
Submission format
All students must submit a single zip file with all their code and a PDF version of their report.
The zip must be named -assignment2.zip (e.g. testuser1-assignment2.zip).
All code for each challenge must be clearly labelled and stored in a separate file, so it is not
confused with the code for other challenges.
Finally, all code must be referenced within the report. This implies that there will be code in
both the report and the separate code file for each task.
If you have any questions or queries, please feel free to reach out via the discussion board,
or by contacting Sajeeb (the lecturer).
Report Writing (5%)
For this assignment, we expect a professionally written report, provided to the client
(teaching staff), explaining and specifying each issue, alongside the process of exploitation
and steps to reproduce the exploits. Also, please ensure that the flag is displayed in a
screenshot at the end of each challenge’s writeup. We will not be accepting any flags
that are not displayed in a screenshot.
Challenge 1: Basic WAF challenge (22.5%)
sml555 is a 1337 Security Researcher (aka Hacker) who has discovered a serious
vulnerability. He decided to create a “Super Secure Blog” to publish his research. In his
excitement to publish quickly, he accidently forgot to fully protect against all XSS
vulnerabilities.
As a fellow Security Researcher, sml555 has asked you to perform a security assessment on
his blog and identify any issues. Please be aware that being security conscious, sml555 is
protecting his blog with a basic WAF. You will need to find a way to bypass the WAF in order
to complete this task.
Your task is:
1. Visit the website (http://chall1.unimelb.life)
2. Perform a manual Penetration Test and identify the following vulnerability:
a. XSS
3. Use the vulnerability to perform the following:
a. Steal the victims cookie and authenticate as the victim
4. Document your findings with full details and screenshots so that sml555 can
reproduce these findings. Note: It is critical that the findings are written up clearly and
in a reproducible manner. Without this write up you will receive 0 marks for this
section. If in doubt, please ask the lecturer prior to the due date.
Scope
Testing must only be performed on http://chall1.unimelb.life
Testing must be manual only. Manual tools may be used (Burp, Zap, etc), however you may
not use the automated scanning capabilities of these tools.
No automated scanning or automated tools can be used.
No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks.
HINT: Take a look at the marking scheme for the process to complete this challenge!
Challenge 2: Local File Inclusion (20%)
In true Agile fashion, a junior developer at !SlowDevs Pty Ltd. created a local copy of the
Agile Manifesto for easy accessibility on the organisation's intranet. Due to inexperience, the
junior developer accidently exposed the website to the internet.
To accommodate for the international teams, the developer has added a language
translation layer to the web application. Prior to placing this website in the production
environment, !SlowDevs Pty Ltd. has contracted you to perform a security assessment of the
new website.
Your task is:
1. Visit the website (http://chall2.unimelb.life)
2. Perform a manual Penetration Test and identify the following vulnerability:
a. LFI
3. Use the vulnerability to perform the following:
a. Steal the configuration file
4. Document your findings with full details and screenshots so that !SlowDevs Pty
Ltd. can reproduce these findings. Note: It is critical that the findings are written up
clearly and in a reproducible manner. Without this write up you will receive 0 marks
for this section. If in doubt, please ask the lecturer prior to the due date.
Scope
Testing must only be performed on http://chall2.unimelb.life
Testing must be manual only. Manual tools may be used (Burp, Zap, etc), however you may
not use the automated scanning capabilities of these tools.
No automated scanning or automated tools can be used.
No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks.
HINT: Take a look at the marking scheme for the process to complete this challenge!
Challenge 3: SQL Injection from another DB
(22.5%)
Entrepreneurs Я Us saw a growing market for supplying white hat hackers with hacking
tools, being entrepreneurs they realised that they needed to be quick to market and have
rapidly developed a webstore branded “31337 Store”. Unfortunately, while being quick to
market makes good business sense, it meant that they took some shortcuts during the
development and testing process, and therefore have left a few vulnerabilities in their code.
Entrepreneurs Я Us has hired you as a security consultant to perform a penetration test on
“31337 Store” prior to their big go-live event planned on the 10th of May.
Your task is:
1. Visit the website (http://chall3.unimelb.life)
2. Perform a manual Penetration Test and identify the following vulnerability:
a. SQL Injection
3. Use the vulnerability to perform the following:
a. CPanel credentials and find the flag
4. Document your findings with full details and screenshots so that Entrepreneurs Я
Us can reproduce these findings. Note: It is critical that the findings are written up
clearly and in a reproducible manner. Without this write up you will receive 0 marks
for this section. If in doubt, please ask the lecturer prior to the due date.
Scope
Testing must only be performed on http://chall3.unimelb.life
Testing must be manual only. Manual tools may be used (Burp, Zap, etc), however you may
not use the automated scanning capabilities of these tools.
No automated scanning or automated tools can be used.
No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks.
HINT: Take a look at the marking scheme for the process to complete this challenge!
Challenge 4: Blind SQL Injection (30%)
VISION®, a large database company, has created an admin backend for one of their clients
to self-manage their database. As this backend was created using completely new code,
VISION® has hired you as a security consultant to perform a penetration test on this admin
backend and confirm whether it is secure or not.
Your task is:
1. Visit the website (http://chall4.unimelb.life)
2. Perform a manual Penetration Test and identify the following vulnerability:
a. SQL Injection
3. Use the vulnerability to perform the following:
a. Extract credentials
b. Log into the application and find the flag
4. Document your findings with full details and screenshots so that VISION® can
reproduce these findings. Note: It is critical that the findings are written up clearly and
in a reproducible manner. Without this write up you will receive 0 marks for this
section. If in doubt, please ask the lecturer prior to the due date.
Scope
Testing must only be performed on http://chall4.unimelb.life
Testing must be manual only. Manual tools may be used (Burp, Zap, etc), however you may
not use the automated scanning capabilities of these tools.
No automated scanning or automated tools can be used.
No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks.
HINT: Take a look at the marking scheme for the process to complete this challenge!
Note: For this challenge, we expect a single, end-to-end exploit (written in python3)
that performs the blind SQL injection and extracts the credentials. This script will then
authenticate into the application and extract the flag.
Marking Scheme
Report Writing (5%)
Task / Subtask Percentage Awarded on
Full Completion
Accumulated Percentage
Identify XSS (includes WAF
bypass)
50% 50%
Steal victim’s cookie 25% 75%
Authenticate as victim 25% 100%
Challenge 1: Basic WAF challenge (22.5%)
Task / Subtask Percentage Awarded on
Full Completion
Accumulated Percentage
Identify XSS (includes WAF
bypass)
50% 50%
Steal victim’s cookie 25% 75%
Authenticate as victim 25% 100%
Challenge 2: Local File Inclusion (20%)
Task / Subtask Percentage Awarded on
Full Completion
Accumulated Percentage
Identify LFI 15% 15%
Extract any PHP file
(server-side content) from
the server using LFI
50% 65%
Steal flag config file using
LFI
35% 100%
Challenge 3: SQL Injection from another DB (22.5%)
Task / Subtask Percentage Awarded on
Full Completion
Accumulated Percentage
Identify SQL injection (prove
with screenshot)
30% 30%
Identify CPanel database
name and tables
20% 50%
Leak credentials from
CPanel database
35% 85%
Authenticate into CPanel
and find the flag
15% 100%
Challenge 4: Blind SQL Injection (30%)
Task / Subtask Percentage Awarded on
Full Completion
Accumulated Percentage
Identify blind SQL injection
(prove with screenshot)
30% 30%
Identify users database
table using blind SQL
injection
25% 55%
Leak a victim user’s
password
30% 85%
Authenticate as the victim
user and retrieve the flag
15% 100%