WEB PROGRAMMING & SECURITY PROJECT

PART-2: WEB SECURITY (25 Points)

You will learn:
1. usages of one-way hashing functions such as SHA-1
2. importance of using smart passwords
3. how weak passwords can be cracked using dictionary/rainbow table attacks
4. using salt to mitigate dictionary attacks
5. SQL-injections attacks
6. How to write programs that mitigate SQL injection

DELIVERABLES
There are four tasks; Task-1 (25points) + Task-2 (25 points) + Task-3 (25 points) + Task-4 (25 points).

ZIP all the following documents into one file before submitting
Task-1:
(1) Password (save it in passwordTask1.txt)
(2) Screenshots –
(a) Login page showing username and password
(b) Greetings page (see image-2)
Task-2:
(3) Password (save it in passwordTask2.txt)
(4) Screenshots –
(a) Login page showing username and password
(b) Greetings page (see image-2)
Task-3:
(5) Screen shots-
(a) Login page that clearly shows the payload (username and password) you used for
SQL Injection attack
(b) Greetings page for Admin
Task-4
(6) The new program checkPW.php that could prevent SQLi.
(7) Screen shots-
(a) Login page that clearly shows the SAME payload (username and password) you
used for SQL Injection attack in Task-3
(b) Error page that informs that the user name or password is wrong

CONDITIONAL BONUS:

If you get more than 50% in this assignment (Project-part2), 10% of your score will be added to your
final score as bonus.

1|Page
TASK-1 (25%) : Password Cracking
Check: John The Ripper: http://www.openwall.com/john/ & https://wiki.skullsecurity.org/Passwords

Check: Security Tools: http://sectools.org/ & https://www.concise-courses.com/hacking-tools/top-ten/

Check also the Table-1 (pg. 5) that gives the first 100 popular passwords and their MD-5 values
(downloaded from http://www.passwordrandom.com/most-popular-passwords).

Image-1 shows 3 entries in the Member table in ACM database (created in Part-1 of this Project). The
passwords for the 2nd row (Selva Mohan’s) and 3rd row (Steven Bourquin’s) were selected from the Table-
1.

In the ACM database, all passwords are encrypted using SHA-1 (not MD-5) before storing in the database.
For example, Steven’s password is cowboy – it is 100 th entry in the table. You may generate sha-1 hash
function for any text using some online-tool (https://passwordsgenerator.net/sha1-hash-generator/).
You can generate sha-1 hash of ‘cowboy’ and check against the database table value in image-1.

As you can see in the image-1, the sha-1 hash of Mohan’s password is
c60266a8adad2f8ee67d793b4fd3fd0ffd73cc61- obviously, Mohan’s password is not known now. Your
task is to crack this password.

Image-1

This task is easy since Mohan’s password is also selected from first 100 popular passwords (given in
Table-1). You may use Pre-computed dictionary attack/Rainbow table attack to crack the password. see
https://en.wikipedia.org/wiki/Dictionary_attack). In Google era, this task may be very easy.

For this task, to get the required screen-shots similar to image-2 (but showing user name and password)
and image-3, first you have to include the second row (image-1) in the members table in the ACM
database. Note that, the password need to be included as plain text (don’t select function SHA1 –
otherwise it will encrypt the encryption again- c60266a8adad2f8ee67d793b4fd3fd0ffd73cc61). You can also
include this row after you crack the password (with SHA-1 function selected for password column – see
image 13 in project-part-1). After that, you have to use the html and php code you developed in part-1 of
the project. Type localhost/csc3800PP1/login.html on a browser, and when you submit the user name
mohanara and the correct password (see image-2) you should get a welcome screen like image-3.

2|Page
Image-2 Image-3

Deliverable: for Task1:

(1) Password (for task-1)

(2) Screenshots –

(a) Login page clearly showing username and password for task-1

(b) Greetings page (see image-2)

TASK-2 (20%) : Password Cracking (with SALT)

In this Google era, task-1 is very easy. Since the password is a very common password dictionary/
Rainbow-table attack can be used to crack the password. SALT can be used to prevent this type of attacks
using pre-computed tables, (see https://en.wikipedia.org/wiki/Salt_(cryptography)). In general, salt is a
random string generated for each password and concatenated with password before generating hash
function.

Check the following table in Image-3. It shows 3 entries in the Member table. Not like Image-1, this table
uses salts - different salts are to be generated for each password. However, to make it simple for this
assignment, the firstname of each person is used as the salt for their password. For example, for Steven,
the salt will be Steven: Steven’s password cowboy and the firstname Steven is concatenated to form the
password string cowboySteven. The sha-1 hash of this string is 39FFBF05CBA9E0C0DCDC4CCBD20359057E33071E. Check
this in (https://passwordsgenerator.net/sha1-hash-generator/). Hexadecimals are used.

Image-3
Again, your task is to crack Mohan’s new password. This is not easy as Task-1 since salt is used. As you
know the password is selected from table-1, you may manually concatenate ‘Selva’ with each password
given in table-1 and generate its sha-1 function, and check it against the above password entry (6e07..).

3|Page
This is doable but tedious. Instead, you may write a program (may be in java- help on a java program is
given at the end to generate password strings from the table and compare it with the given hash.

To test the login process, You need to change checkPW.php and register.php slightly.

For example, in checkPw.php; you need to fill ?????? with appropriate code (to concatenate the salt with
password).
$SQL = $SQL . " WHERE userName = '$uName1' AND password = sha1( ??????)";

Similarly, if you need to make appropriate changes in register.php if you use it to store new records (to
concatenate the salt with password).

In the login screen, when you submit the user name mohanara and the correct password, you should get
a welcome screen similar to Image-2.

Deliverable: for Task2:

(3) Password (for task-2)

(4) Screenshots –

(a) Login page clearly showing username and password for task-1

(b) Greetings page (see image-2)

TASK-3 (25%): SQL Injection (SQLi)

Check:
https://www.w3schools.com/sql/sql_injection.asp
https://en.wikipedia.org/wiki/SQL_injection
https://blog.detectify.com/2016/04/06/owasp-top-10-injection/
As mentioned in the HW-4, the checkPW.php is vulnerable to SQL injection. A malicious person may login
to the system without knowing the user name and password.

See image 1 in the previous page that shows some records of Member table. The first record includes the
Administrator’s user name and password. If you don’t have the Admin’s record in your Member table,
include one. Use the values in image-1 for first name, last name, user name and email. You may select
any password for admin (note that, your stored hash value will be different from that in image-1).

Now, as a pen tester pretend that you are a malicious person who is attempting to login to the system as
Admin (obviously, you don’t know the admin’s password). In this task, you are required to create a
payload (appropriate username and password) to hack this system. You have to use SQL injection to
attack the system. If you succeed, you should get a screen like image-5.

4|Page
Image-4
Deliverable for Task-3:

(5) Screen shots -

(a) Login page that clearly shows the payload (username and password) you used for
SQL Injection attack
(b) Greetings page for Admin (see image-4)

TASK-4 (25%) SQLi Prevention & Mitigation

Check:

http://culttt.com/2012/09/24/prevent-php-sql-injection-with-pdo-prepared-statements/

https://software-security.sans.org/developer-how-to/fix-sql-injection-in-php-using-prepared-statements

SQL injection is a well-known attack for more than 15 years, and it can be easily prevented. However, a
recent study shows that there are millions of websites still have this vulnerability.

In this task, you are required to rewrite the program checkPW.php (given in Part-1 of this Project) in
order to prevent SQL Injection. You may use PDO (PHP Data Objects) or some other suitable technique.

Deliverable for Task-4:

(6) The new program checkPW.php that could prevent SQLi.
(7) Screen shots-
(a) Login page that clearly shows the SAME payload (username and password) you used for SQL
Injection attack in Task-3
(b) The page that informs that the user name or password is wrong

5|Page
Task-2 Help (Java Program to find a password when used with a salt)
First, store the password table (see Table-1 below) in a text file (say pws.txt). If you are using Eclipse,
save in the same Project folder. The following code can be used to access the fields in each line:
String salt = "Selva"; // in this task the first name is used as salt
String hPW1 = "6e0701e7c4e8c174ff7fd797d86bb86e9bef07d1"; //this is sha1(pw+ “Selva”)
File pws = new File("pws.txt"); //need to store pws.txt in default folder, or use absolute path name.
try {
      Scanner scan = new Scanner(pws);
      while (scan.hasNextLine()) {
                    String[] line = scan.nextLine().split("\\s+"); // split each line in Table-1 into 3; line[1] is password
                    //to complete this part you need to use sha1( ) function given below; check section “sha-1 in java”
       }
} catch (FileNotFoundException e) {
e.printStackTrace();
}

SHA-1 in Java 

To get sha-1 hash of some "text", you need to call some function like SHA1("text") in java. But, SHA1() is
not directly available in java libraries. You have to use the following methods (or use Apache codec).

http://www.anyexample.com/programming/java/java_simple_class_to_compute_sha_1_hash.xml

/* returns sha1 of text as a hex string of length 80 (2 * 40) */

public static String sha1(String text)
throws NoSuchAlgorithmException, UnsupportedEncodingException {
MessageDigest md = MessageDigest.getInstance("SHA-1");
byte[] sha1hash = new byte[40];
md.update(text.getBytes());
sha1hash = md.digest(); // sha1hash contains sha1(text) in byte array
return convertToHex(sha1hash); // to convert byte array to hex string
}

/* to convert a byte array to hex string; e.g. {11110001, 11100010} to f1e2 */

private static String convertToHex(byte[] bArray) {
StringBuffer buf = new StringBuffer();
for (byte b : bArray)
buf.append(convertByteToHex(b));
return buf.toString();
}

/* to convert a byte to hex digits- e.g. 11110001 to f1

private static String convertByteToHex(byte b) {
String h = "";
int firstNibble = (b >>> 4) & 0x0F;
int secondNibble = b & 0x0F;
h=h+convertNibtoHex(firstNibble)+convertNibtoHex(secondNibble);
return h;
}

/* to convert a nibble (4-bis) to a hex digit- e.g. 1111 to f, 0010 to 2, etc…

private static char convertNibtoHex(int halfbyte) { //convert 4-bits to hex- e.g. 1111 to F
if ((0 <= halfbyte) && (halfbyte <= 9))
return (char) (('0' + halfbyte));
else
return (char) ('a' + (halfbyte - 10));
}

6|Page
}

TABLE-1

7|Page
8|Page
9|Page
10 | P a g e