CIS 551 Project 4: Web Security

Getting Started

This project, like the first, uses a virtual machine. The virtual machine is configured with an Apache web server that hosts some vulnerable web pages that you will attempt to first break and then fix.

Follow these steps to get set up for the project:

1. Download and extract the virtual machine image: box2.tar.gz
2. Run the virtual machine using VMWare (or VMWare Fusion) by opening the box.vmx file. As before, the username and password are both root.
3. Set up the network configuration (we left the VM configured incorrectly) by moving the /etc/udev/rules.d/z25_persistent-net.rules file and rebooting the VM:

   box:~# mv /etc/udev/rules.d/z25_persistent-net.rules /etc/udev/rules.d/z25_persistent-net.rules.old
   box:~# shutdown -r now
   

4. Inside the virtual machine, determine the server's IP address by running the ifconfig command. The eth0 device's inet addr is the appropriate address. For example, the server's address might be 172.16.46.128.
5. Using the host machine's web browser (there isn't a web browser installed in the VM), connect to the url: http://server-IP-addr/, for example http://172.16.46.128/. You should see a welcome message from the VM's web server.
6. Follow the instructions on the web server's page to continue the project.

As in project one, to move files onto the virtual machine (a.k.a. the web server), you can either use sftp or wget.

Note: We have tested this project using the Chrome and Safari web browers. Internet Explorer by default includes some anti-XSS measures that may foil these attacks. If you run into problems using a different web browser, please contact the course staff via Piazza.