Assignment 2 - Application Exploitation
Description
This assignment will focus on the exploration of vulnerabilities in software projects, and the creation of detailed reports with the findings. The target applications will consist of the applications submitted in the last assignment, and made available in the DETI computation infrastructure.
For each vulnerability found, the report should describe why it exists, how it was exploited, what are the associated CWEs and what is the expected CVSS. Students may exploit as many applications as they wish, but the report should focus on the complete exploitation (all vulnerabilities) of a single application.
It is expected that a user reading the final report can fully understand how the exploit was achieved, the reasoning, as well as all preparatory steps required and enumeartion.
The project should to be implemented by a group of 3 students, and MUST reside in a private repository in the github/detiuaveiro organization, using the Github Classroom functionality (this is mandatory).
Delivery and Grading
Delivery should consist of a repository with at least a report and the output of the different tools:
analysis: contains scripts/textual descriptions/logs/screen captures demonstrating the exploration of each vulnerability;README.md: contains the project description, authors, identifies vulnerabilities implemented;
Projects will be graded according to the quality of the writeup provided, the impact and number of vulnerabilities found. If an application is attacked, but not all vulnerabilities are found, the authors may be awarded some points.
Finding more vulnerabilities than expected will yield bonus points.
This project is expected to be authored by the students enrolled in the course. The use of existing code snippets, applications, or any other external functional element without proper acknowledgement is strictly forbidden. Themes and python/php/javascript libraries can be used, as long as the vulnerabilities are created by the students. If any content lacking proper acknowledgment is found in other sources, the current rules regarding plagiarism will be followed.