2023 1 LAMP ZAP Analysis and Mitigation Overview For this final lab you will use the tools and techniques used | Assignment Collections

1

LAMP ZAP Analysis and Mitigation

Overview

For this final lab you will use the tools and techniques used throughout the course to analyze and mitigate and document the results of two LAMP applications. The first application you will analyze is the e-Commerce application you wrote during week 7. For the second application you will use a prototype UMUC tutoring LAMP application which you will need to install on your VM and then run the analysis, fix all vulnerabilities and document the results.

In both applications, you are expected to perform the scanning using ZAP research the results, identify and fix software vulnerabilities, and professionally document your process and final results.

Learning Outcomes:

At the completion of the lab you should be able to:

1. Set-up and run the UMUC tutor application on your VM

2. Conduct automated and manual analysis on two different LAMP applications

3. Identify, prioritize and repair software vulnerabilities found in the LAMP applications

4. Document the process and findings of your Web application security analysis

Lab Submission Requirements:

After completing this lab, you will submit a word (or PDF) document that meets all of the requirements in the description at the end of this document. In addition, the modified and software vulnerability mitigated LAMP applications and all associated files should be submitted.

Virtual Machine Account Information

Your Virtual Machine has been preconfigured with all of the software you will need for this class. The default username and password are:

Username : umucsdev Password: umuc$d8v

MySQL Username: sdev_owner

MySQL password: sdev300

MySQL database: sdev

Tutor Application user accounts:

Tutor1 username: tutor1 Tutor1 password: t123 Tutor2 username: tutor2

Tutor2 password: t234

Tutor3 username: tutor3

Tutor3 password: t345

Part 1 – Set-up and Run the UMUC tutor application on your VM

2

In this exercise you will create and populate the database tables for the LAMP application and install the PHP and associated files on your VM. The application is fully functional (but definitely not safe). You need to perform a few steps to make sure it is working properly on your VM.

1. From the Week 8 code examples, download the UMUCTutorLamp.zip file.

2. Move the file to your VM and unzip using the right mouse click – extract to here option. Note a folder names week8 will be provided that has two subfolders.

3

3. Create a folder named Week8 in your /var/www/html folder that will store the Tutor application.

4. Copy the contents from the Tutor folder to the /var/www/html/week8 location. Note: just copy the folders and files inside of the Tutor folder not the Tutor folder itself.

4

5. From the location where you unzipped your UMUCTutorLamp.zip file, open the SQL folder. Open the createTables.sql file.

6. Launch MySQL and use the sdev database. Important: make sure you use the sdev database so the tables are created in the correct area.

5

7. Carefully, copy and paste the SQL lines into the mysql prompt. You can do this in batches. Look for any errors as you are running the scripts.

8. Verify your tables are correctly created and populated by querying the tables and verifying data exists in the tables where you inserted data.

6

9. Open up your Browser and Launch the tutor app (localhost/week8/)

10. Click on the Create a new CSTutor account to create a student account. Click Submit after you have entered your test account data.

7

11. Login using the account information you just created and request two or three tutoring sessions using the form.

8

9

10

12. Login in as one of the tutors to see what students have sessions. (Use localhost/week8/tlogin.html) Note: tutor1 tutors, CMIS102, tutor2 tutors CMIS141/242 and tutor3 tutors CMIS320. Be sure to login as the tutor corresponding to the tutor sessions you created.

11

13. Click on “Show all my Sessions” to view all of the available sessions for this tutor.

14. Continue to experiment the Tutor to learn most of the functionality.

Lab submission details:

As part of the submission for this Lab, you will run manual and automatic attacks on your week7 lab submission and the UMUC Tutor app on your VM.

12

Be sure to work on each application separately and document the issues you found and the process you used to fix the applications. You can provide the findings in one well-organized document. You should work to eliminate all alerts in both applications and clearly document specifically what you did to mitigate each issue.

Create screen captures demonstrating your process and results. Each screen capture should be fully described. The document should be well-organized and include a table of contents, page numbers, figures, and table numbers. The writing style should be paragraph style with bullets used very sparingly to emphasize specific findings. In other words, this should be a professional report and demonstrate mastery of writing.

Be sure your process includes both manual and automatic scanning. When researching your security alerts, be sure to document your references using APA style. You should show both before and after fix vulnerability reports. Your final vulnerability report should show zero alerts and vulnerabilities.

For your deliverables, you should submit a zip file containing your word document (or PDF file) along with the before and after application files. (including sql and parameter files) If you made changes to your VM environment (e.g. security.conf, apache2.conf, php.ini) you should provide those files also.

Include your full name, class number and section and date in the document.

Grading Rubric:

Attribute

Meets

Does not meet

ZAP attacks

6 points

Runs manual attacks on your week7 lab submission. (1 point)

Runs automatic attacks on your week7 lab submission. (1 point)

Runs manual attacks on the tutor app. (1 point)

Runs automatic attacks on the tutor app. (1 point)

Eliminates all alerts in both applications. (2 points)

0 points

Does not run manual attacks on your week7 lab submission.

Does not run automatic attacks on your week7 lab submission.

Does not run manual attacks on the tutor app.

Does not run automatic attacks on the tutor app.

Does not eliminate all alerts in both applications

Documentation and submission

4 points

Submits a word or PDF document that includes screen captures demonstrating your process and results. Screen captures are fully described. Clearly documents specifically what you did to mitigate each issue. (2 points)

0 points

Does not submit a word or PDF document that includes screen captures demonstrating your process and results. Screen captures are not fully described. Does not clearly document specifically what you did to mitigate each issue.

13

Document is well-organized and includes a table of contents, page numbers, figures and table numbers. The writing style should be paragraph style with bullets used very sparingly to emphasize specific findings. Document your references using APA style. (1 point)

Includes all before and after application files in zip format. (sql and parameter files, security.conf, apache2.conf, php.ini) (1 point)

Document is not well-organized or includes a table of contents, page numbers, figures or table numbers. The writing style is not paragraph style with bullets used excessively. APA style references not used.

Does not include all before and after application files in zip format. (sql and parameter files, security.conf, apache2.conf, php.ini)

Run Zap on both UMUCTutorLamp and store.sql