Security and Vulnerability Analysis - S15

CSE 591

Assignment 1

Assignment 1 is due 2/5/15 before class.

Part 1 (10 points)

Sign up for the course mailing list. Please provide your AUSRITE ID number when you register so that we can give you credit for signing up.

Part 2 (45 points)

Create, in any language, a minimal HTTP 1.1 client, based on RFC 2616 from scratch, without using HTTP libraries (note that using URL parsing libraries is allowed).

For an example, in Python, urllib2 and urllib are not allowed (because they handle the HTTP communication for you), but urlparse is allowed.

Interface

You must implement the following command-line interface for your program:

./client <HTTP_METHOD> <URL>

The output of the command is the response body from the web server.

The return status of the command should reflect the status of the server’s HTTP response, or a catch-all 1 for any other error:

  • 0: 2XX Status
  • 5: 5XX Status
  • 4: 4XX Status
  • 3: 3XX Status that can’t be followed (in other words, the status code is not a 301, 302, 303, or 307)
  • 1: Catch-all error

Minimum Functionality

  • Automatically follow redirects that are a 301, 302, 303, or 307, by sending the same <HTTP_METHOD> that was given on the command line (a limit of 5 redirects)
  • Handle “chunked” transfer encoding

Implementation

Your program must work on Ubuntu 14.04 64-bit with build-essential. If you need, you can use general.asu.edu to develop.

Note, if you wish to use packages that are not installed on Ubuntu by default, please submit a file entitled packages, with a list of the Ubuntu 14.04 64-bit packages that you would like installed before calling make. Each line of packages must be a valid package name, one package per line. We will automatically install all the dependencies that the package lists.

For example, if you were going to write your assignment in Haskell, you could install the GHC compiler with the following packages file:

ghc
ghc-dynamic

Submission Instructions

You will need to submit your source code, along with a Makefile and README. The Makefile must create an executable called client when the command make is ran. Your README file should contain your name, ASU ID, and a description of how your program works.

Example Program Executions

Correct usage (where does this URL come from)?

$ ./client GET http://www.msftncsi.com/ncsi.txt
Microsoft NCSI
$ echo $?
0

Example with status code

$ ./client PUT http://sefcom.asu.edu/
Received status code 403 Forbidden exiting
$ echo $?
4

Note that in the next example I’ve replace a bunch of output with …

$ ./client GET http://sefcom.asu.edu
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="application/xhtml+xml; charset=iso-8859-1" />
<meta content="Global" name="Distribution" />
<meta content="index,follow" name="Robots" />
<link type="text/css" href="images/Envision.css" rel="stylesheet" />
<link href="favicon.png" rel="icon">
<title>The Laboratory of Security Engineering for Future Computing</title>
</head>
<body>
<!-- wrap starts here -->
<div id="wrap">
<!--header -->
<div id="header">
<div id="header-links">
<p>

...

</body>
</html>

Self Evaluation

If you’d like to test your code before you submit it, please download and run the provided part_2_self_evaluation.sh program. Put it in the same directory as your code, make it executable chmod +x part_2_self_evaluation.sh, and run it ./part_2_self_evaluation. (Note, that you are budding security professionals, so you should inspect code you download before you execute it!)

The script will test for a README, Makefile, then try running your code (with the examples provided above). Note that this does not check for full compatibility with the assignment description. If the self evaluation script passes with no errors, then you can expect at least 70% on this part (assuming that your code successfully compiles on the described system).

Here’s sample output from my code:

$ ./part_2_self_evaluation.sh
Running make
cp client.py client
chmod +x client
Running ./client GET http://www.msftncsi.com/ncsi.txt
Checking that ./client GET http://www.msftncsi.com/ncsi.txt outputs the right number of characters
Running ./client PUT http://sefcom.asu.edu/
Running ./client GET http://sefcom.asu.edu
Great Success! Assuming that your code compiles on an Ubuntu 14.04 you should get at least 70%

Part 3 (45 points)

Create, in any language, a single CGI script that is a web application (conforming to RFC 3875, without using any CGI libraries (although you may use URL libraries).

For example, in Python, you may not use the cgi library.

Note that every HTML page that your web application generates, regardless of the input given to the application, must be valid HTML5, according to an HTML5 Validator (with document type HTML5). Also, none of your form or a elements should have an attribute target with the value of _blank. This is a technique for doing pop-ups and breaks the automated grading. Plus, it is evil.

Your web application will be a single executable, called part_3. This executable is responsible for implementing two functionalities:

Calculator

/calculator of your CGI application will return an HTML page with a form (name attribute of calculator) with two text inputs (one named a and one named b) and a dropdown selector (name attribute method) of +, -, *, and /. When the form is submitted, the resulting page must show both inputs and the result of the submitted calculation.

Guestbook

/guestbook of your CGI application will return an HTML page with a list of previous entries in the guestbook. After the last entry will be a form (name attribute of guestbook) with one text input (name attribute of name) and one textarea (name attribute of comment). When the form is submitted, the name and comment must be added to the list in the /guestbook page.

Implementation

Your program must compile and work on stock Ubuntu 14.04 64-bit with build-essentials and apache2 installed, with apache2 as the web server.

Note, if you wish to use packages that are not installed on Ubuntu by default, please submit a file entitled packages, with a list of the Ubuntu 14.04 64-bit packages that you would like installed before calling make. Each line of packages must be a valid package name, one package per line. We will automatically install all the dependencies that the package lists.

For example, if you were going to write your assignment in Haskell, you could install the GHC compiler with the following packages file:

ghc
ghc-dynamic

Submission Instructions

You will need to submit your source code, along with a Makefile and README. The Makefile must create your executable, called part_3, when the command make is ran. Your README file should contain your name, ASU ID, and a description of how your program works.

Self Evaluation

Raymond, the TA, has provided two Selenium test cases to help you test you test your CGI application. Tests for the Calculator and Tests for the Guestbook. Note that these tests only check that the proper forms and elements are on your page, and so passing these tests will get you 60% on the assignment (assuming that the urls are correct).

Here are the instructions to run the test cases:

  • Install Selenium IDE in Firefox
  • Open the HTML page of your assignment
  • Open Selenium IDE in Firefox
  • Click Menu File -> Open -> Select the provided test script in .html
  • Click the icon “Play current test case”
  • If the output is all green then your HTML page has passed the test

The selenium tests are meant to verify the elements of required attribute names and tags are present. Please make sure that your HTML pages pass the test case before submission.

Extra Credit

Implement gzip encoding in Part 2 so that your client tells the server that it can handle gzip encoding.

Submission Site

Create an account to submit your homework.