CS 4401 (A12): Software Security Engineering
Project 1: TurnOut-Web

The course staff have implemented a web-based gradebook (called TurnOut) for this course. By default, everyone is listed as getting an NR. You have two general tasks: exploit as many vulnerabilities as you can find in the system (including figuring out how to give yourself a better grade) and fix the system to prevent attacks.

There are three separate deliverables for this project, each due before the start of class (via web-Turnin) on the specified date:

TurnOut-web is running in a virtual machine image. You can get the image from the share \\fossil.wpi.edu\cs4401\ in the turnout-web directory. You may either work on the CCC machines or on your own computer. You can use either VirtualBox or VMware player (not officially supported, but should work).

For the blackbox deadline, simply load the turnout-web image. This will start up the turnout web server automatically. A message box will come up before the login screen that gives the virtual machine's IP address. You can run the web application by visiting this IP address in a web browser. If that screen is blank, it means the machine's IP address wasn't set yet. Press right ctrl+backspace to refresh under virtualbox (more detailed virtualbox setup instructions).

Instructions to access the image contents for the whitebox and patch deadlines will be provided after the blackbox deadline.

What to Submit for the Attack Due Dates

Fill in and submit an attack summary spreadsheet. If you don't use Excel, reproduce the format of this spreadsheet in some reasonable alternative (that the TAs will be able to read and edit).

Be sure to fill in your name in cell A1.

The spreadsheet has two sections:

Each attack you list should be qualitatively different. Multiple versions of the same attack will cost you points. Attacks are the same if they exploit the same vulnerability with the same result (ie, both use code injection with the same constructs in the same field to achieve the same goal). If you list multiple attacks that look similar but you think are not, give us a sentence or two of justification.

On the day that the whitebox tests are due, we will review some of the vulnerabilities that you found in class. You are free to draw on the attacks found by other students when you patch the code for the third deadline.

For the Patch Due Date

Submit a zip file containing edited versions of the source code and a README.txt file. For each patch you made, describe the edit at a high level (such as "added filtering to the X input"), the class of attacks that the edit is designed to prevent, and where in the code (which files and functions/definitions) you made changes to implement the patch. Your goal is to fix the code to avoid as many attacks as possible, not just the attacks that you personally identified for the first two deadlines.


In grading this assignment, we will look for:

We will not announce a number of attacks that you should aim for because real-world systems don't come with this information. A comprehensive and systematic attack strategy is your best evidence for the quality of your work on this assignment (it also helps us gauge your respective abilities in identifying vulnerabilities and crafting exploits).

Course homepage