I have a homework and all what I need is only a paraphrasing for this homework but it have to be same ORDERS just changing the words a little bit add more and so on. I have attached the HW in a word doc, let me know if you have any questions thank you!
Unformatted Attachment Preview
101_First of all, on the login page I opened the tamper and I removed the password and it showed me some error on
the page. The result of this NullPointerException is the displaying of a small portion of the relevant page code via a
standard Tomcat 500 Error page. So, the benefit of the displayed code is to learn the location of the include file that
contains the database connection credential information.” 110_Frequently Asked Questions page I removed the
“Topic” from the URL address, and then I clicked enter, and that should display a Tomcat error page with a portion
of the JSP pages code shown. Moreover, the benefit of the displayed code will be to learn the input filtering code
to more easily find a way to evade it. 111 112_The topic URL variables value is filtered to replace any
instance of ../ with a blank string to prevent directory traversal. Because this process is not recursive, by using
.// the filter will remove the inner-most ../ and leave the remaining ../ intact. This should be used in
conjunction with Goal 112. 112_The topic URL variables value is appended with .html. By placing a question
mark at the end of the original variables value, the appended .html appears to be part of the query portion of the
included URL (e.g. index.jsp? becomes index.jsp?.html).” 101_” This is a simple SQL Injection vulnerability
that allows a user to enter a basic login bypass SQL Injection (e.g. OR a=a) in order to login as a user. More
advanced injections will allow the user to attempt to log into a specific user and not just the first in the database.
This will only allow access a customers account and not to a higher-privileged account (admins and managers must
log in through the /secure/login.jsp).” 102_”Because the login page simply hashes the password without any salting
before sending it to the server, a password hash found in the database could be replayed with a tool like Tamper
Data that modifies POST request variables after the form submit takes place. This requires successfully gaining
access to the MySQL database. If real victim users were using this web application on your network, it would be
possible to obtain a hash by packet sniffing their login attempts.” 300_”The only method of initially gaining access
to the /secure/siteadmin/ area of the site is by logging-in through the /secure/login.jsp with correct site admin
credentials. In order to do this, one needs the username and password. The username is easily obtainable after the
contestant has gain access to the MySQL database, but the password hash must be cracked. The contestant must run
the password hashes through a password cracking tool or an online rainbow table.” 310_” The active_users.jsp page
shows a list of all sessions active, including username, e-mail address, role, and last activity time. Session IDs are
shown as well, but our censored for contestants to prevent cross-contestant hacking and cheating. One user rscott,
a financial manager, is hard-coded to always have an active session. By modifying their session cookie to the
session ID listed for rscott, contestants can gain access to the financial managers already logged-in account.” 120_”
The users table in the MySQL database stores the secret (mothers maiden name) in Base64 format. This used for
the verify that the forgotten password restoration request is coming from the account owner. Because Base64 is just
an encoding method and not encryption or hashing, any user with access to the MySQL database can decode the
secrets easily and are able to reset the password and have the new one sent to the owners e-mail. This alone will
not allow access to the account since contestants do not have access to the account owners e-mail inboxes.”
400_”There is technically no vulnerability on 400 page, but in order to successfully transfer funds, the manager
accounts password must be re-entered and thus known by the contestant. To gather this information, contestants
must first gain access to the managers account using Goal 310, change the e-mail address to their own, log out, and
then use the forgot my password feature (Goal 120).” 201_”The 201 transaction comments are neither filtered nor
encoded upon entering into the server or being displayed on the transaction page. This allows for an easy XSS or
XSRF injection point.” 200_”By modifying the id variable when attempting to edit a comment for a transaction, a
user is able to post the comment for any transaction. Essentially, the id variable is not checked to verify that the
user actually owns the transaction it is associated with. ” 103_”Upon failing to correctly log in on the login page,
users are informed that their activity has been logged. This log is viewed by site admins at
/secure/siteadmin/logviewer.jsp. The log entries for failed log-ins contains the username of the attempted log-in and
because these are neither filtered nor encoded upon entering into the server or being displayed on the log viewer
page, this allows for an XSS or XSRF injection point.”113_”By instructing the FAQ page to include itself, an
infinite loop occurs as the server tries to continuously nest pages. This causes a denial of service and with multiple
threads started on this process, the server will crash quickly.”
Purchase answer to see full
Why Work with Us
Top Quality and Well-Researched Papers
We always make sure that writers follow all your instructions precisely. You can choose your academic level: high school, college/university or professional, and we will assign a writer who has a respective degree.
Professional and Experienced Academic Writers
We have a team of professional writers with experience in academic and business writing. Many are native speakers and able to perform any task for which you need help.
Free Unlimited Revisions
If you think we missed something, send your order for a free revision. You have 10 days to submit the order for review after you have received the final document. You can do this yourself after logging into your personal account or by contacting our support.
Prompt Delivery and 100% Money-Back-Guarantee
All papers are always delivered on time. In case we need more time to master your paper, we may contact you regarding the deadline extension. In case you cannot provide us with more time, a 100% refund is guaranteed.
Original & Confidential
We use several writing tools checks to ensure that all documents you receive are free from plagiarism. Our editors carefully review all quotations in the text. We also promise maximum confidentiality in all of our services.
24/7 Customer Support
Our support agents are available 24 hours a day 7 days a week and committed to providing you with the best customer experience. Get in touch whenever you need any assistance.
Try it now!
How it works?
Follow these simple steps to get your paper done
Place your order
Fill in the order form and provide all details of your assignment.
Proceed with the payment
Choose the payment system that suits you most.
Receive the final file
Once your paper is ready, we will email it to you.
No need to work on your paper at night. Sleep tight, we will cover your back. We offer all kinds of writing services.
No matter what kind of academic paper you need and how urgent you need it, you are welcome to choose your academic level and the type of your paper at an affordable price. We take care of all your paper needs and give a 24/7 customer care support system.
Admission Essays & Business Writing Help
An admission essay is an essay or other written statement by a candidate, often a potential student enrolling in a college, university, or graduate school. You can be rest assurred that through our service we will write the best admission essay for you.
Our academic writers and editors make the necessary changes to your paper so that it is polished. We also format your document by correctly quoting the sources and creating reference lists in the formats APA, Harvard, MLA, Chicago / Turabian.
If you think your paper could be improved, you can request a review. In this case, your paper will be checked by the writer or assigned to an editor. You can use this option as many times as you see fit. This is free because we want you to be completely satisfied with the service offered.