# CMP 5006 - Information Security 

## Homework 2

- Work in groups of 2 or  3
- For submission, clone the class repo and create a branch for your homework. You will add your homework to the "homework_2" folder. Create a folder inside with the name format "last_name-hw2". Submit a pull request.
- In D2L submit a zip file with your homework, and in the comments include the link to your pull request.
- Also, in D2L include a grade (between 0 and 10) evaluating the work collaboration of your partners. 

## Overview

In this homework assignment, you will explore various aspects of web security through hands-on exercises. You will work with DVWA (Damn Vulnerable Web Application), Kali Linux, and an open-source WAF (Web Application Firewall). This assignment is designed to give you practical experience with both offensive and defensive security techniques.

## Requirements

- Work in groups of 2-3 students
- Each group needs at least 2 computers:
  - Computer 1: Running Kali Linux (attacker)
  - Computer 2: Running DVWA and ModSecurity WAF (target/defender)
- Duration: 2 weeks
- Deliverable: A comprehensive report detailing your methodology, findings, and mitigation strategies

## Setup Instructions

1. **Computer 1 (Attacker)**:
   - Install Kali Linux (VM is acceptable)
   - Ensure tools like Burp Suite, OWASP ZAP, and sqlmap are installed and updated

2. **Computer 2 (Target/Defender)**:
   - Install DVWA (follow instructions at [DVWA GitHub](https://github.com/digininja/DVWA))
   - Install and configure ModSecurity as your WAF
   - Set up basic logging for the web server



## Problem 1: Authentication Attacks and Password Cracking

**Objective**: Analyze and exploit authentication mechanisms, crack password hashes, and implement defenses.

**Tasks**:
1. Set DVWA security level to "medium"
2. Extract password hashes from DVWA's database
3. Use John the Ripper and Hashcat to crack the obtained password hashes
4. Create a custom wordlist and rule set for more efficient password cracking
5. Perform a brute force attack on DVWA login using Hydra
6. Implement and test ModSecurity rules to prevent brute force attacks
7. Elevate DVWA security to "hard" and document the differences in authentication mechanisms
8. Attempt to bypass the "hard" level protections
9. Document effective countermeasures for each attack vector

**Deliverables**:
- Password hashes extracted from DVWA
- Screenshots of successfully cracked passwords
- Custom wordlist and rule sets created (first 10 entries only)
- Hydra command syntax and results
- ModSecurity rules implemented
- Comparative analysis of medium vs. hard security levels
- Recommended authentication best practices

## Problem 2: SQL Injection at Different Security Levels

**Objective**: Compare and exploit SQL injection vulnerabilities at medium and hard security levels.

**Tasks**:
1. With DVWA set to "medium", manually identify SQL injection vulnerabilities
2. Document the differences between "low" and "medium" security level protections
3. Create at least three different SQL injection payloads that bypass medium security
4. Use sqlmap to attempt automated exploitation at medium security level
5. Change DVWA security to "hard" and attempt the same attacks
6. Document which attacks succeeded and failed at each level
7. Implement ModSecurity rules specifically designed to prevent the successful attacks
8. Test the effectiveness of your WAF rules against your payloads

**Deliverables**:
- Documented SQL injection payloads for medium and hard levels
- Analysis of security controls at each level
- sqlmap command syntax and output
- Screenshots of successful and failed attacks
- ModSecurity rule configurations
- Bypass techniques that worked against your WAF rules, if any
- Recommended SQL injection prevention strategies

## Problem 3: Cross-Site Scripting (XSS) and WAF Evasion

**Objective**: Exploit XSS vulnerabilities at higher security levels and develop WAF evasion techniques.

**Tasks**:
1. Set DVWA security to "medium"
2. Identify reflected and stored XSS vulnerabilities
3. Develop at least three XSS payloads that bypass medium-level filters
4. Create a JavaScript payload that steals cookies and sends them to your attacker machine
5. Change DVWA security to "hard" and analyze the additional protections
6. Develop obfuscation techniques to bypass hard-level XSS protections
7. Configure ModSecurity with OWASP CRS to protect against XSS
8. Create and document at least three different WAF evasion techniques
9. Test each evasion technique and document results

**Deliverables**:
- XSS payloads for medium and hard security levels
- JavaScript code for cookie stealing
- Analysis of XSS protections at each security level
- WAF evasion techniques with examples
- ModSecurity configuration and rule tuning
- Screenshots of successful and failed attacks
- Recommended XSS prevention strategies

## Problem 4: File Upload Vulnerabilities and Hash Analysis

**Objective**: Exploit file upload vulnerabilities and analyze secure file handling.

**Tasks**:
1. Set DVWA to "medium" security level
2. Analyze the file upload restrictions
3. Bypass the upload restrictions to execute a simple PHP backdoor
4. Calculate and document MD5 and SHA-256 hashes of your uploaded files
5. Set DVWA to "hard" and attempt to bypass the more stringent restrictions
6. Use Exiftool to embed PHP code in an image file's metadata (create a polyglot file)
7. Configure ModSecurity rules to detect and block malicious file uploads
8. Generate rainbow tables for a small set of password hashes and perform lookups
9. Document your file upload bypass techniques and their effectiveness

**Deliverables**:
- Source code of PHP backdoor used for upload
- File hashes (MD5 and SHA-256) of all uploaded files
- Commands and techniques used to bypass upload restrictions
- Exiftool commands and polyglot file creation process
- ModSecurity rules for upload protection
- Rainbow table generation process and lookup results
- Analysis of file upload security controls at each level
- Recommended secure file upload practices

## Problem 5: Command Injection and Network Forensics

**Objective**: Exploit command injection vulnerabilities while performing network analysis.

**Tasks**:
1. Set DVWA to "medium" security level
2. Set up packet capture on both machines using Wireshark
3. Identify command injection vulnerabilities in DVWA
4. Create payloads that establish a reverse shell connection to your attacker machine
5. Encode your payloads to bypass medium-level filters
6. Elevate to "hard" security level and develop more sophisticated bypass techniques
7. Analyze captured network traffic to identify indicators of compromise
8. Create ModSecurity rules to detect and block command injection attacks
9. Perform forensic analysis on logs to identify attack patterns
10. Implement network-level detection rules

**Deliverables**:
- Command injection payloads for both security levels
- Encoding/obfuscation techniques used
- Packet capture files (truncated to relevant sections)
- Network traffic analysis highlighting attack indicators
- ModSecurity rules implemented
- Log analysis findings
- Recommended command injection prevention measures

## Problem 6: Comprehensive WAF Implementation and Testing

**Objective**: Implement and evaluate a defense-in-depth approach using a WAF.

**Tasks**:
1. Implement ModSecurity with OWASP CRS at different paranoia levels
2. Create custom rules based on findings from previous exercises
3. Configure virtual patching for at least three vulnerabilities in DVWA
4. Perform a security assessment of your WAF implementation
5. Document false positives and tune rules accordingly
6. Create a ModSecurity logging and monitoring plan
7. Develop at least three advanced WAF bypass techniques
8. Test your WAF against all DVWA modules at both medium and hard levels
9. Create a ModSecurity rule to specifically detect password hash extraction attempts
10. Document the performance impact of different WAF configurations

**Deliverables**:
- Complete ModSecurity configuration
- Custom rules created for DVWA protection
- Virtual patching implementations
- WAF testing methodology and results
- WAF bypass techniques and their effectiveness
- Performance impact analysis
- Rule tuning documentation
- Recommended WAF best practices


## Note

Please respect ethical guidelines while performing these exercises. Do not attempt these techniques on systems without explicit permission. All work should be performed in your isolated lab environment only.
