E N D
CHAPTER4Exercises for Part 1 Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern, and Anita Kesavan (ISBN 1590597842; http://www.foundationsofsecurity.com). Except as otherwise noted, the content of this presentation is licensed under the Creative Commons 3.0 License.
Conceptual Exercises • Are there dependencies between any of the security concepts that we covered? For example, is authentication required for authorization? Why or why not? • What happens if a client connects to SimpleWebServer, but never sends any data and never disconnects? What type of an attack would such a client be able to conduct?
Programming Problem (1) • HTTP supports a mechanism that allows users to upload files in addition to retrieving them through a PUT command. • What threats would you need to consider if SimpleWebServer also had functionality that could be used to upload files? • For each of the specific threats you just listed, what types of security mechanisms might you put in place to mitigate the threats?
Programming Problem (2) public void storeFile (BufferedReader br, OutputStreamWriter osw, String pathname) throws Exception { FileWriter fw = null; try { fw = new FileWriter(pathname); String s = br.readLine(); while (s != null) { fw.write(s); s = br.readLine(); } fw.close(); osw.write("HTTP/1.0 201 Created"); } catch(Exception e) { osw.write("HTTP/1.0 500 Internal Server Error"); } } public void logEntry(String filename,String record) { FileWriter fw = new FileWriter (filename, true); fw.write(getTimestamp()+ " " + record); fw.close(); } public String getTimestamp() { return (new Date()).toString(); } • Modify the processRequest() method in SWS to use this file storage and logging code.
Programming Problem (3) • Run your web server and mount an attack that defaces the index.html home page. • Assume that the web server is run as root on a Linux workstation. Mount an attack against SimpleWebServer in which you take ownership of the machine that it is running on. By taking ownership, we mean that you should be able to gain access to a root account, giving you unrestricted access to all the resources on the system. Be sure to cover your tracks so that the web log does not indicate that you mounted an attack.