FIT1093 Assignment 3
Semester 2, 2025
Please read it carefully before submitting the assignment
Submission Guidelines and Tasks
● Assignment 3 is worth 30% of the total unit marks.
● Deadline: Assignment 3 submission is due in Week 14 on November 7, 2025, at 23:55 Melbourne, Australia time. This Task is individual (not group) work, and it must be submitted by each student individually.
Submission:
● 'Assignment 3 Submission (30%)’ link on the Moodle Assessments page.
● Required Files for download: A shell scriptfit1093_a3_initialisation.sh for the assignment is available for download via the Assignment 3 Submission link.
● File Format for Submission: A PDF with answers for Tasks 1-4 submitted via the `Assignment 3 Submission (30%)’ Moodle link.
● Page Limit: PDF documents must be no more than 15 pages, excluding the cover page and references.
● Submission Status: Marking is only available for submissions in the ‘Submitted’ status. NO grading will be given for the status of ‘Draft’.
● Revert Submission: NO reversion of the Submitted status to draft will be offered.
● Plagiarism: It is an academic requirement that your submitted work be original. Zero marks will be awarded for the whole submission if there is any evidence of copying, collaboration, pasting from websites, or copying from textbooks.
● Use of Generative AI tools: ChatGPT or other AI tools may be used for study purposes, to learn about your topic, and to develop your assignment. However, similar to citation requirements for other references, you must include an explicit declaration of all generative AI tools used (e.g., ChatGPT, DALL-E, Grammarly, voice-to-text), detailing how and where you have used them. Examples of declaring the use of AI can be found at
https://www.monash.edu/student-academic-success/build-digital-capabilities/create-online/a
cknowledging-the-use-of-generative-artificial-intelligence#tabs__3254796-01.
● Late submission / Special Consideration policy:
■ Standard Monash policy for late submission penalties will be applied (i.e. 5% deduction per day of late submission after the deadline, see
https://www.monash.edu/learning-teaching/teachhq/Assessment/marking-and-grading/how-t o/calculating-late-penalties).
Assignment Overview
Your goal is to perform security testing on a mini web app to find web and database injection vulnerabilities using techniques from the Web and Database Security lectures. Then, you need to demonstrate how to exploit these vulnerabilities to break the app’s security.
All tests should be performed in your unit VM and you should then submit a PDF report following the instructions provided in Task 1 -3. Task 4 is a reflection of your invited lecture in Week 12.
Task 1: demonstrate your understanding of XSS vulnerabilities by testing the web application for such issues and assessing whether they can be exploited.
Task 2: demonstrate understanding of client-side penetration testing by attempting to bypass the web app’s access control for private documents.
Task 3: demonstrate your ability to test for SQL injection vulnerabilities in a web application component that queries an SQL database, and exploit any vulnerabilities to gain unauthorised access.
Task 4: demonstrate your understanding and reflection on the invited industry lecture in week 12.
Assignment 3 is marked out of 100 marks with allocations as shown below.
Criteria (max marks for the task)
Task 1 (35 marks)
(1A) List of potential XSS vulnerability points & explain the results 10
(1B) Testing techniques & results 15
(1C) Explain the vulnerability & explain the mitigation 10
Task 2 (15 marks)
(2A) Feasibility of the attack 5
(2B) Explain your response in 2A with evidence 10
Task 3 (40 marks + 10 bonus)
(3A) Working steps and screenshots of Database Attack 10
Explain the vulnerability & explain the mitigation 10
Bonus for update/delete entries or drop the table 10 (bonus question)
(3B) Working steps of the attack 16
Name the attack and the remediation 4
Task 4 (10 marks)
Reflection of Invited Lecture and personal security experience 10
Assignment Details
Download a shellscript file from the Assignment 3 Submission link in Moodle or the link provided in instruction.
Follow the instructions in this section to install three application services in your FIT1093 VM.
Installation of the Docker file:
1. Download the fit1093_a3_installation.sh onto your VM and copy that file to the home directory:
cp ~
2. Change to home directory:
cd ~
3. Enable execute permission for the shell script.
chmod +x fit1093_a3_installation.sh
4. Run the file with sudo privileges:
sudo ./fit1093_a3_installation.sh
5. Once the installation is completed, you should see the below output:
Notes: If you power off or restart the virtual machine for Task 1 - 3, you have to re-execute the shell script step 4. Additionally, please reset the proxy settings in Firefox as instructed in Applied Week 10 for Task 2 after re-execution. Or otherwise, you are recommended to use the Burpsuite built-in browser without the proxy setting required for Task 2.
Task 1 (35 marks): Login and Company Chat Security Test
Visit the web application's homepage at the URL http://xss.a3.techcorp.com:8081 using your browser.
Fig. 1 is the login page.
Fig.1 Login Page
After clicking the “Login” button with the below credential, the browser should display a dashboard page, as shown in Fig. 2, and your task is to test the Company chat.
|
Username
|
Password
|
Domain
|
|
user1
|
pass123
|
corp
|
Fig. 2. Dashboard page
Fig 3: Company Chat
Your supervisor asked you to test the login and company chat pages in Figs. 1-3 and write a vulnerability report based on your findings.
In the report, you should include
● Task 1A (10 marks): Based on the application behavior. for login and company chat pages above:
o Based on the behaviour of the web application pages above with an honest user, list potential points on these pages where a reflected/stored XSS input injection vulnerability may exist. (No actual XSS attack is required in this task.)
o Explain why the points you listed are potential XSS vulnerability points.
● Task 1B (15 marks): Experiment on the logon and company chat pages in Figs. 1-3, and examine the behaviour to different inputs.
o For each of the potential XSS vulnerability points listed in Task 1A, perform. tests to see if XSS vulnerabilities actually exist at these points.
. Describe and explain your testing approach.
. Create a table of test results and your interpretation or conclusions on whether such an XSS vulnerability exists or not (note: you only need to test if script injection is possible; social engineering considerations are not required).
o Assume you have created an attacker's application server (choose any arbitrary domain except techcorp.com), craft a malicious script that could allow the attacker’s server to receive the target user’s session cookie by launching an XSS attack on one of the chosen vulnerability points.
. Screenshot of the script and the feasibility of receiving cookies at the attacker’s application server. (note: you only need to show the script and evidence for its execution to steal the cookie, no social engineering attack feasibility/demo is required.)
● Task 1C (10 marks): Explain what and why the vulnerabilities are exploited and how to mitigate it.
Task 2 (15 marks): Confidential Information Leakage Test
Your task is to investigate http://csrf.a3.techcorp.com:8081/, an Internal Employee System where users can retrieve confidential information specific to their department. The user can’t access confidential information of another department.
A set of credentials from the Engineering Department with a department ID of 103 is provided for testing purposes. However, you are advised that the department ID of HR is in the range of 101 - 104.
|
Username
|
Password
|
Department Name and ID
|
|
engineering.charlie
|
password123
|
Engineering (103)
|
Table 1: Login for the internal employee system
Fig 4: Download Department File
Login as engineering.charlie using the above credentials. Click Download Department Files to download a text file containing sensitive information of the user’s department.
Your task is to exploit the vulnerability on this page by logging in as Charlie and performing an attack using Burpsuite or any similar tool to read and download the HR file, which must not be accessible by non-HR staff.
In the report, you should include or answer:
Task 2A (5 marks): Is it possible for Charlie to gain unauthorised access to HR’s confidential data?
Task 2B (10 marks):
● If possible, explain the vulnerability you found and how Charlie can exploit it, and show the working screenshots and HR confidential data exposed by the attack.
● If you believe it is not possible, explain why.
● In any case, explain the tests you did, the results of HR confidential information and how you determine the information is from HR.
Hints: Utilise the Burpsuite tool (refer to week 10 & 11 applied session) to help with your experiments and explore potential attacks.
Task 3 (40 marks): Database Security
A Company Information Query System (Fig. 5) at http://sqli.a3.techcorp.com:8081 allows a user to perform two operations: (1) directory service by inputting the user name in Query for User Information (Fig. 6) and (2) query for the average salary of one selected department at a chosen rank in Query for Salary Information (Fig. 7).
Fig. 5: Company Information Query System
Task 3A (20 marks + 10 bonus marks)
In this task, you should test the system for SQL injection vulnerabilities. Try a normal use case first by entering a username in the “Query for User Information” text box. You should include your injection inputs and the screen captures of results in your report.
Fig. 6: Query for User Information
In your report, you should include
3A.(i) (10 marks): How to make use of the user textbox to find information about the company users, provide your screen captures to show SQL statements and the query results clearly. The expected query results should contain:
● All tables in the database.
● Among the possible tables, the name of the database table which likely contains user personal private information, e.g. the user names, salary, and password.
● List the corresponding names of fields (columns) in the database table you named above, and the values of three of the private information fields for all the users in the table.
3A.(ii) (10 marks): In the event of data exposed in 3A.(i), how to minimize the impact of password leakage? What further remediations should be taken to minimise the impact of data loss even if the database server is compromised?
3A.(iii) (10 marks) Bonus Question*: Update or delete entries in the table or even drop the table in 3A.(i). You must include your SQL queries and results in your report. No partial marks will be awarded for SQL queries only without screenshots showing the queries’ output.
* Bonus question marks will be awarded to offset your deduction in this assignment. For example, If the total mark of the tasks other than the bonus question is 89, then you will receive 99 marks including the bonus question if correctly answered. If the total mark of the tasks other than the bonus question is 98, then you will receive 100 marks in this assignment if the bonus question is correctly answered. No further assistance or clarification will be provided regarding the Bonus question.
Task 3B (20 marks)
You are given the company structure in Table 2 below. In Company Query Information, you can make use of Query Salary Information (Fig. 7), to get the average salary of either
1. All staff of a selected department, or
2. Analysts in a selected department
Fig 7: Query for Salary Information
To ensure privacy protection, an individual's salary is not publicly disclosed. This page allows users to retrieve the average salary of all users or analysts at a selected department. You are not permitted to query the average salary of a higher rank than analyst. Your task is to assess whether the individual salary of higher-ranking staff, (i.e., Manager or Senior Manager), can be leaked.
|
Role
|
Department
|
Name
|
|
Manager
|
HR
|
Julie Albert
|
|
Analyst
|
HR
|
Rob Genius
|
|
Analyst
|
HR
|
Bob Fish
|
|
Manager
|
Cyber
|
Alice Go
|
|
Senior Manager
|
Cyber
|
Bob Runner
|
|
Analyst
|
Cyber
|
Cat Jumper
|
|
Analyst
|
Cyber
|
Dan Throwput
|
|
Analyst
|
Cyber
|
Elaine Javelin
|
Table 2: Company Structure
In your report, you should include the answers to the following questions:
3B.(i) (2 marks) What is the advantage of using the radio button over the input box in 3A from the view of database security?
3B.(ii) (6 marks) Whose salary information of higher rank staff can be retrieved by making queries? Create a table to show your results
3B.(iii) (8 marks) How can you perform the data leak? For each of the above results, why is it possible or impossible to retrieve the salary of the higher rank staff?
3B.(iv) (4 marks) What attack is it? Give one remediation.
Hints: Refer to the SQL statement quick reference to look for a likely SQL statement for Part 3.
Task 4 (10 marks): Reflection of Invited Lecture on Week 12
In your report, you have to provide a meaningful reflection based on the invited lecture. (Words should be more than 120 words and less than 150 words per question)
4A (4 marks): What is the invited lecture’s topic?
4B (4 marks): What career inspiration for you is influenced by the lecture?
4C (2 marks): What are your next actions to achieve Task 4B?
Change log
All changes to the assignment will be listed here with the time of the change (in Melbourne time):
● 15 Oct 2025: v1 of specs released.
● 23 Oct 2025: v1.1 P.3:
○ Update the filename of Download the fit1093_a3_initialisation.sh onto your VM and copy that file to the home directory to Download the fit1093_a3_installation.sh onto your VM and copy that file to the home directory.
● 26 Oct 2025: v1.2 P.5: Rectify mark allocations in Task 1
○ Task 1A(15 marks) → Task 1A (10 marks)
○ Task 1B(20 marks) → Task 1B (15 marks)