First, find a website that you can use php, javascript, and edit html directly. If you use a web-hosting service from a third party, make sure that you have php and javascript support. You will also need to find a web server that you can run on your own computer and access http://localhost. You may use CherryPy (very simple, python) or apache (professional). VMware is free for 1 year, and absolutely required. You can get Windows OS image for free at the same website.
No submission is required for this part. Please fill out this survey to let me know your web server configuration.
Use htaccess to protect a directory with a password. Hint. You will need to submit your htpasswd and htaccess file on Blackboard.
Use Wireshark to see your passwords. Can you see the password when you run Wireshark on your computer as you type the password? Can you see the password if you run Wireshark on your server, where you run your web server? Can you see your friend's password if they connect to your web server? Submit the pcap files of three situations and write a short explanation where you can find the passwords in each pcap file, or not. A good reference book is available on Safari, Practical Packet Analysis by Chris Sanders.
Set a permanent cookie from your website, i.e. the cookie does not expire. From your web browser, visit your website, and capture the packets to show how the cookie is sent from the website to your browser. Close your web browser, visit your website again, and capture the packets to show how the cookie is sent from your browser to the website. Clear the cookie in the web browser, and then visit the website again, while capturing the packets to show how the cookie is set from the website again. Submit the code in your website with the pcap files. You may use PHP or javascript to set the cookie. The university offers free training on Apache+PHP+MySQL at Lynda.com. Login to USF Connect, click on Learning Technologies, and then click on Lynda.com. You can search for Apache.
Read the article Logging out of facebook is not enough. Create a Facebook account if you don't have one. Start packet capture. Login, logout, and visit 3rd-party websites (non-Facebook websites) with Like button such as dictionary.reference.com. Show which packets send the Facebook cookies to Facebook when your browser visits the 3rd-party websites.
Add SSL to your website to support https for username/password login. Do not use htaccess, but implement a login page. Use Wireshark to verify that the passwords are not visible. You may use Apache-SSL. Submit the source code of your website and a README. The README should explain how you added SSL.
Sniff the packets from a web browser to your server using 1)http and 2)https while a legitimate user logs in to your website. Write a program that takes the packet capture file, the URL of your website, and launches a replay attack on your website to access the restricted content as the legitimate user. Make sure that your web server responds with the restricted content only when the cookie is valid. In other words, this replayed cookie is an authentication cookie. Does the capture file from 1) works? How about from 2)? Explain your answer in the README. Unless you're doing this as a browser add-on, you will need to do some socket programming to make your program act like a web browser. You might want to read about SSL Strip, tcpreplay and/or Firesheep.
Submit your source code of the website, README, and/or the user-side program by 10/26 in Blackboard. Grading will be done by demo. Demo will take about 15 minutes, and should be done by 10/28. Please schedule an appointment with the instructor via email. Failure to schedule an appointment is not an excuse for extension.
Your website will be acting as a 3rd-party tracking website, explained in the Cookie lecture from slides 14-20. You may also find this WSJ article helpful. There is a sample website source in Blackboard that displays some interesting user information. Your goal is to produce reports on user behavior. The report will be something like Google Analytics Dashboard, but much less fancier.
Think about what information about users you want to learn, and design your code snippet accordingly. The required information is (USF username, URL, time of visit). When the user visits your own website for the first time, ask for his or her USF username and set the cookie, including this username, in the user's browser. After then, whenever this user visits any website with your code snippet, your web server will receive the cookie from the web browser. For the extra credit for top visitors, please record the username in the data you're collecting for the report. (You will submit this data along with the report on Nov. 9th.) Your code snippet will be included in everyone's website. Note that this time you are tracking multiple users, so your website needs to set cookies that can distinguish users. The USF username in the cookie will take care of it.
You may use your own website/web server, but any code that runs on CS web server should run on your web server as well.
Write a program to find out how many GETs per second your web server can handle. This program will take the time between GET requests as input and generate GET requests to a certain URL on your web server to overload your web server. Measure the time it takes for the requested website (HTML, PHP, etc) to be returned, and see at what rate (how many GETs per second) the response starts to slow down, and at what rate the response time becomes more than 200ms. Use the VM or another machine in your subnetwork for the web server to minimize the effects on other machines. Most importantly, do _NOT_ do this on campus. Your account may be blocked for campus resource abuse.
Configure your firewall protecting your web server to prevent the denial-of-service attack from your program. (Hint: what's the source IP address of the attack?)
Submit the source code of the program, a README explaining how you have configured the firewall to prevent this attack, and the graph with x-axis being the GET request rate (how many GETs per second) and y-axis being the response time to Blackboard by 11/16. You'll need to demonstrate the attack and the countermeasure. Demo will take about 20 minutes, and should be done by 11/18. Please schedule an appointment with the instructor via email. Failure to schedule an appointment is not an excuse for extension.
Please submit the original data that you used to generate the graph as well.