The copy of the “fake bank” application code that was provided for your reference in the previous assignment is now “live.” That means there’s a database set up for you, and you can access your copy of the application through a web browser. Each student has their own copy of the code and their own database, so you don’t need to worry about interfering with any other student’s work. If you completely mess up your code, you can get a fresh copy from directory /home/softsec/fakebank
. If you want to use a real programmer’s approach, you could put your code under Git version control to allow rollbacks if you mess things up, but that’s optional (only for your benefit) in this assignment.
One note for those without experience in web development like this: There’s a hidden file named .htaccess
in your fakebank
app directory. This file can be used to change various PHP settings – for example, the version that is there right now turns on error reporting so that accessing a PHP page with an error (syntax or runtime) will report an error to the client. That is generally a very bad idea on a production system since it gives additional information about how your application works to potential attackers, but is vital for development work. Because of this, PHP turns off error reporting by default, but that default is overridden in the .htaccess
file. That should be the only PHP option that you really need to think about, but other changeable options can be found in the PHP documentation if you are interested.
Here are the tasks you need to perform for this assignment. You should also submit a PDF document in Canvas with a very brief (1-3 sentence) explanation of your solution for each problem. I will access the code itself on our class server for grading, so there’s no need or benefit to quoting code changes in your document. Just describe where you made changes and what you were trying to accomplish — I will use the PDF submission to guide where to look in the code for your solution. The PDF will also provide the timestamp for this being an on-time vs a late submission.
Remove all SQL injection vulnerabilities from the code. That means that all SQL queries should be protected, not just the login vulnerability you exploited for problem 1 in the previous assignment – so, for example, the SQL injection to list all transactions that we performed in class should also not work. For partial credit you can quote input fields directly using the php function mysqli_real_escape_string
, but for full credit you must change all queries to parameterized queries. For a small amount of extra credit, you can change all database interactions from the older MySQL-specific functions in provided code to the portable PHP data objects (PDO
) database interface.
Remove the direct object reference vulnerability that you exploited for problem 2 in the last assignment. Your fix should add appropriate access controls to the message access code.
Remove the cross-site scripting vulnerability that you exploited in problem 3 in the last assignment. For full credit, you can just take a simplistic approach and just disallow all HTML entities in messages by processing user input with the PHP htmlspecialchars
function. For extra credit, you can perform more advanced input sanitization and/or add an extra layer of protection by adding CSP (as discussed in Assignment 3) headers using the PHP header
function. You must still sanitize inputs though, even if you enable CSP.
Add code to protect against the range check vulnerability that was exploited in problem 4 of the last assignment. An appropriate range check must be performed on the server side for this.
Remove the CSRF vulnerability that was exploited in problem 5 of the last assignment. You should add (and check!) a good CSRF token into the money transfer form for this solution.