G6077 Report 184514

Algorithm 算法代写, Cyber Security 网络安全代写, Database 数据库代写, Web Development 网站开发代写 / Javascript 代写, SQL 代写

184514 Computer Security 21/22 Page|1
G6077 COMPUTER SECURITY – REPORT
Application URL Sussex: http://users.sussex.ac.uk/~bcc28/G6077/LovejoyAntiques/index.html
Code: Zip file Location: https://universityofsussex- my.sharepoint.com/:f:/g/personal/bcc28_sussex_ac_uk/EkTiNIBsFLVLtWCDUrYG1oUBCOTRG__4YAvKJVRgM Oaodw?e=PrQZb
Task 1 – User Registration…………………………………………………………………………………………………………………….3 Registration form code …………………………………………………………………………………………………………………….3 Code when registration form submitted …………………………………………………………………………………………….4
Annotation Descriptions ……………………………………………………………………………………………………………….4
Annotation Descriptions ……………………………………………………………………………………………………………….5 Accounts Database Table ………………………………………………………………………………………………………………….5 Why This Is Secure …………………………………………………………………………………………………………………………..6
Password Policy……………………………………………………………………………………………………………………………6 Vulnerabilities ……………………………………………………………………………………………………………………………..6 Authentication …………………………………………………………………………………………………………………………….7
Task 2 – Develop a secure login feature. …………………………………………………………………………………………………8 Login Form code………………………………………………………………………………………………………………………………8 Annotation Descriptions ……………………………………………………………………………………………………………….8 Annotation Descriptions ……………………………………………………………………………………………………………….8 Code when login form submitted ………………………………………………………………………………………………………9 Annotation Descriptions ……………………………………………………………………………………………………………….9 Annotation Descriptions ……………………………………………………………………………………………………………..10 Login Attempts Database Table ……………………………………………………………………………………………………….11 Why This is Secure …………………………………………………………………………………………………………………………11 Password Policy………………………………………………………………………………………………………………………….11 Vulnerabilties …………………………………………………………………………………………………………………………….11 Authentication …………………………………………………………………………………………………………………………..11 Obfuscation ……………………………………………………………………………………………………………………………….12 Task 3 – Implement password strength and password recovery ………………………………………………………………13 Forgot Password Form ……………………………………………………………………………………………………………………13 Annotation Descriptions ……………………………………………………………………………………………………………..13 Reset Password Form……………………………………………………………………………………………………………………..14 Annotation Descriptions ……………………………………………………………………………………………………………..14 Annotation Descriptions ……………………………………………………………………………………………………………..15 Annotation Descriptions ……………………………………………………………………………………………………………..16 Each Password Policy Element Implemented …………………………………………………………………………………….16

184514 Computer Security 21/22 Page|2 Additional Security Implemeneted …………………………………………………………………………………………………..17
Task 4 & 5 – Implement a “Evaluation Request” web page & Develop a feature that will allow customers to submit photographs…………………………………………………………………………………………………………………………..18
Request Evaluation form code …………………………………………………………………………………………………………18 Annotation Descriptions ……………………………………………………………………………………………………………..18 Code when form submitted …………………………………………………………………………………………………………….19 Annotation Descriptions ……………………………………………………………………………………………………………..19 Evaluations Database Table …………………………………………………………………………………………………………….20 Why This Is Secure …………………………………………………………………………………………………………………………20 Vulnerabilties …………………………………………………………………………………………………………………………….20 Authentication …………………………………………………………………………………………………………………………..20 Task 6 – Request Listing Page ……………………………………………………………………………………………………………..21 Code of the page ……………………………………………………………………………………………………………………………21 Code for listing generation………………………………………………………………………………………………………………21 Annotation Descriptions ……………………………………………………………………………………………………………..22 Why This Is Secure …………………………………………………………………………………………………………………………22 Other Files Used ………………………………………………………………………………………………………………………………..23 Credentials ……………………………………………………………………………………………………………………………………23 Description ………………………………………………………………………………………………………………………………..23 Configuration of Database ………………………………………………………………………………………………………………23 Description ………………………………………………………………………………………………………………………………..23 Logout of website…………………………………………………………………………………………………………………………..23 Description ………………………………………………………………………………………………………………………………..23 Main …………………………………………………………………………………………………………………………………………….24 Annotation Descriptions ……………………………………………………………………………………………………………..24 Annotation Descriptions ……………………………………………………………………………………………………………..25 Annotation Descriptions ……………………………………………………………………………………………………………..26 Account activation …………………………………………………………………………………………………………………………27 Annotation Descriptions ……………………………………………………………………………………………………………..27 Annotation Desrciptions ……………………………………………………………………………………………………………..28 Two Factor Authentication ……………………………………………………………………………………………………………..29 Annotation Descriptions ……………………………………………………………………………………………………………..30 Final Self Evaluation …………………………………………………………………………………………………………………………..30

184514 Computer Security 21/22 Page|3
TASK 1 – USER REGISTRATION
REGISTRATION FORM CODE
Figure 1 – index.html (registration form).

184514 Computer Security 21/22 Page|4 CODE WHEN REGISTRATION FORM SUBMITTED
Figure 2 – register.php, called when user submits registration form.
ANNOTATION DESCRIPTIONS
1. Sanitizing all inputs entered by the user to protect against SQL injection attacks
2. Further sanitation of inputs against Cross-Site Scripting XSS.
3. Password Entropy/Strength check, ensuring desired format of at least 1 uppercase, lowercase,
number & special character is present along with a minimum of 10 characters.
4. Ensure length of inputs is reasonable and would not overload database, and then ensure
confirmation password is equal to initial entered password.
5. Additional password requirement tested, which ensures password is not based at all on username,
checking for palindromes of each other, along with common number/special character replacement of letters.
Computer Science Tutoring
Computer Security 21/22
1. All data entered is valid, SQL Select statement is prepared, this is to protect against SQL Injection
2. Check if username and/or email already exist in database. If so, exit code.
3. If both username & email are unique to previous accounts, prepare another SQL statement to insert
the entered data into the database.
4. Encrypt the password, create a unique code for account activation, and store the IP of the current
session and insert these along with all entered data into the table ‘accounts’.
5. Using function sendEmail() defined in main.php (see Figure 26), activation email is sent to the user
with a link to click on. The link will contain the email address of the email & the activation code to ensure its unique to the user. Emails sent successfully will notify user to check inbox (and junk mail).
ACCOUNTS DATABASE TABLE
Figure 3 – Register.php, insertion of successful registration into database, along with activation email sending.
ANNOTATION DESCRIPTIONS
Figure 4 – accounts database table.

184514 Computer Security 21/22 Page|6 WHY THIS IS SECURE
PASSWORD POLICY
• I believe I have implemented a very good password policy, since the registration form enforces a password policy of a minimum of 10 characters, with at least 1 of each of those being, 1 uppercase letter, 1 lowercase letter, 1 number and 1 special character. (Figure 2, Annotation 3)
• With this, if a user chooses the weakest password from this policy i.e. 6 lowercase, 1 uppercase, 1 number and 1 special character, allows for 59bits of entropy or 5.9873694e+19 possible combinations which cannot be brute forced.
• In addition, the policy that the password cannot be based on the username (Figure 2, Annotation 5), ensures a brute force attack with known usernames of users will not be effective.
• The passwords are also encrypted using a hashing function and then stored in the database (Figure 3 Annotation 4). The function password_hash() creates a new password hash using a strong one-way hashing algorithm along with a randomly generated salt.
• In addition with this function, the un-hashed password does not ever need to be stored or decrypted to, due to the effective use of the function password_verify() which checks if a password entered is the same as the hashed stored password.
• Finally regarding password policy, the user must select 1 of 6 security questions and provide an answer, which is used when users need to reset their password. This ensures if a user’s email is compromised, an unauthorised presence cannot reset a user’s password.
VULNERABILITIES
• Vulnerabilities such as SQL injection, Cross-site scripting (XSS) and duplicate email/username account creation is protected against very well on this section. In addition using HTML validation, all fields are giving the attribute ‘required’ ensuring a user has entered something in these fields, and some use regex patterns to ensure only valid data is entered (Figure 1).
• For example, all fields have been given a pattern so characters not in the regex are not excepted. This means users cannot input special characters like ‘=, & and ;’ which are required for SQL injection statements or ‘<>’ used for XSS.
• In addition, all inputs of the users are sanitized using the PHP functions mysql_real_escape_string() and htmlspecialchars().
• mysql_real_escape_string() provides protection against SQL injection by escaping special characters in a string which can be used in SQL statements (Figure 2 Annotation 1).
• Htmlspecialchars() function provides protection against XSS attacks by converting some predefined characters to HTML entities (Figure 2 Annotation 2). The character replacement are as follows:
o & (ampersand) becomes & o ” (double quote) becomes " o ‘ (single quote) becomes ' o < (less than) becomes < o > (greater than) becomes >
• This means XSS attacks like ‘