This assignment concerns vulnerabilities in a software application, and how they can be fifixed. You should be able to do the work on any machine that has the Java Development Kit installed.
We strongly recommend that you do the assignment in pairs, though you may work on your own if you prefer. If you choose to work in a pair, please notify us of the members of the pair using the form provided for this purpose. A link & QR code for the form is available in Minerva. If you work in a pair, each member will receive the same mark for the assignment.
This assigment is worth 15% of your overall grade.
You are provided with the source code of a Java application in patients.zip. This is a crude attempt by an inexperienced developer to implement part of a patient records system. The idea is that GPs in a surgery can login to the application and search for details of patients that they are currently treating.
The application uses Jetty as a built-in web server. Request processing is done by a Java Servlet. Data storage is provided by an SQLite 3 database, and queries of the database are done using JDBC. HTML pages are generated using the Freemarker template engine.
Analysis of Security Flaws
- Examine the database used by the application. Amongst other things, this will give you the login credentials and patient details that you need to test the application.
You can do this on the command line using the sqlite3 tool: the .schema command will tell you the structure of the database and you can issue SQL queries at the command prompt to examine its contents. You can exit the tool with .quit.
If you prefer a tool with a GUI, there are many available—e.g., DB Browser.
- Compile and run the application from the command line using
(On Windows, omit the leading ./)
Note: there may be a signifificant delay the fifirst time this runs, while dependencies are downloaded. If doing this from your own PC, make sure you are connected to the Internet fifirst.
- Visit http://localhost:8080 in a web browser to interact with the application. Use the information obtained in Step 1 to explore difffferent paths through the application.
- Experiment with the web interface to identify any security issues. Make a note of precisely what the issues are and how you identifified them. Collect evidence such as screenshots where appropriate.
- Study the source code of the application if necessary to gain further insight into the application’s security flflaws.
- Create a report using a word processor or other documentation preparation tool of your choice. Give your report the title ‘COMP3911 Coursework 2’ and include author details (name and username, or names and usernames of both of you if you worked in a pair).
Under a section heading ‘Analysis of Flaws’, write down a numbered list of all the flflaws you have found. Be brief here; identify each flflaw with a single short sentence.
Then pick three of the discovered flflaws to discuss in more detail. For each choice, create a suitable subsection heading, under which you should describe the nature of the flflaw and how you discovered it, providing suitable examples or evidence in each case.
The entire ‘Analysis of Flaws’ section should be no more than two A4 pages in length. The contents of this section are worth a total of 21 marks.
Implementation of Security Fixes
- Choose up to three, but no more than three, of the security flflaws that you listed in the ‘Analysis of Flaws’ section. These could be, but do not have to be, the same three flflaws that you described in detail in that section.
Modify the application (and, if necessary, the database) to fifix your chosen flflaws.
- Test the application to make sure that it still works and that it is no longer vulnerable.
- Add a new section to your report, with the heading ‘Fixes Implemented’. Write a short (maximum of one A4 page) summary of the changes that you have made, explaining in each case how it has fifixed the problem.
Your fifixes and the written summary of them are together worth a total of 15 marks.
You need to submit both your report and the modifified application.
The report should not exceed three A4 pages in length, excluding any cover sheet. It must include your name, or the names of both contributors if you worked as a pair. It must have the section headings indicatedpreviously. It must be submitted as a PDF fifile: do NOT submit a Word document or any other editable document format. The PDF fifile must be named report.pdf and it must be put in the same directory as the build.gradle fifile.
Note: you will lose marks if you don’t satisfy all of these requirements!
When you have put report.pdf in the correct location, enter the following command:
This will create a Zip archive named cwk2.zip, containing everything that needs to be submitted.
Use Minisign to sign the Zip fifile:
minisign -S -m cwk2.zip
Submit the fifiles cwk2.zip and cwk2.zip.minisig, via the link provided for this purpose in Minerva. Note:
if you have worked in a pair, the person who signed the Zip fifile should be the person who submits the fifile and its signature.
A further 4 marks will be awarded for a correctly formatted submission with a signature that verififies correctly—giving a total of 40 marks available for the assignment.
Note that we will need the public key of the signer to perform signature verifification, so make sure that this has been submitted previously, using the relevant submission link in Minerva.