CIS 551 Project 4: Web Security
This project, like the first, uses a virtual machine. The virtual
machine is configured with an Apache web server that hosts some
vulnerable web pages that you will attempt to first break and then fix.
Follow these steps to get set up for the project:
- Download and extract the virtual machine image: box2.tar.gz
- Run the virtual machine using VMWare (or VMWare Fusion) by opening the
box.vmx file. As before, the username and password are
- Set up the network configuration (we left the VM configured incorrectly) by moving the
/etc/udev/rules.d/z25_persistent-net.rules file and
rebooting the VM:
box:~# mv /etc/udev/rules.d/z25_persistent-net.rules /etc/udev/rules.d/z25_persistent-net.rules.old
box:~# shutdown -r now
- Inside the virtual machine, determine the server's IP address by
running the ifconfig command. The eth0 device's
inet addr is the appropriate address. For example, the
server's address might be 172.16.46.128.
- Using the host machine's web browser (there isn't a web browser
installed in the VM), connect to the url:
http://server-IP-addr/, for example
http://172.16.46.128/. You should see a welcome message
from the VM's web server.
- Follow the instructions on the web server's page to continue the project.
As in project one, to move files onto the virtual machine (a.k.a. the
web server), you can either use sftp or wget.
Note: We have tested this project using the Chrome and
Safari web browers. Internet Explorer by default includes some
anti-XSS measures that may foil these attacks. If you run into problems using a different web
browser, please contact the course staff via Piazza.
Last modified: Wed Apr 11 08:19:21 EDT 2012