This preview shows pages 1–3. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: ECE4112 Internetwork Security Lab 9: Web Security Group Number: ____________ Member Names: _______________________ _______________________ Date Assigned: October 30, 2007 Due Date: November 6, 2007 Last Edited on: November 11, 2007 Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions on the Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the date due. Goal: This lab will introduce you to several security issues involving web server software and web applications. Summary: In this lab you will be learning about several techniques to attack web applications as well as how to defend against them. First you will learn about Cross Site Scripting and use your knowledge to experiment with a cross site scripting exploit. Then, you will learn about SQL injection and use your knowledge to break into a database driven website and then explain how to protect against such attacks. Then we will tie them all together into a practical exercise. Requirements: Red Hat WS 4 SPI Dynamics VMware machine Notes: If you get a blank page when you go to index.php in firefox, make sure all users have read permission for the index.php file (navigate to where the file is located and execute chmod 777 index.php) When setting up apache2 command addtype in httpd.conf should be AddType application/x-httpd-php .php (there is a space between php and .php) Section 0: Setup 1 I. Setting up Apache Apache should already be installed on your Red Hat WS 4.0 Machine. If it is not, please follow the directions given in Lab 2. Make sure you have a directory called apache2 somewhere on your machine. Possible locations for this folder are /home/apache2, /usr/local/apache2 or /var/local/apache2. In order to use php, we must modify our servers configuration file. This file called httpd.conf is located under the apache2 directory (/conf/httpd.conf). The following lines must be added. The best way to add these lines is to search for them in the config file and place them below the commented examples. LoadModule php4_module modules/libphp4.so DirectoryIndex index.html index.html.var index.php (this replaces existing line) AddType application/x-httpd-php .php For reference, an httpd.conf file is placed on nas4112/Lab9/Examples II. Setting up PHP Now that we have our apache server configured, we need to make sure we can interpret a php file located in .../apache2/htdocs. First, locate php.ini (use the locate command; you may have to updatedb before you can). More than likely php.ini is located in /etc/. Open php.ini and set the document root to the path of your htdocs directory. For example, if apache2 is located in /usr/local, then find the line in php.ini starting with doc_root and type the following: doc_root = /usr/local/apache2/htdocs/ Remember, depending on the location of the apache2 directory, the above line may be...
View Full Document
This note was uploaded on 12/05/2009 for the course IT IS taught by Professor Arther during the Three '09 term at Queensland Tech.
- Three '09