HW#5 --- last modified May 12 2021 02:36:34.

Solution set.

Due date: May 17

Files to be submitted:
  Hw5.zip

Purpose: Experiment with web security exploits and their mitigations. To gain experience with XML, AJAX, and server-side Javascript.

Related Course Outcomes:

The main course outcomes covered by this assignment are:

CLO2 -- Write schemas, DTDs, and style sheets for XML documents.

CLO3 -- Write server-side scripts that process HTML forms.

CLO4 -- Write client-side scripts that validate HTML forms.

CLO5 -- Develop and deploy web applications that involve components, web services, and databases.

Description:For this homework, you are going to code web apps that you will submit in your Hw5.zip in three separate folder: I-Know-U-PHP, I-Know-U-PHP-Vulnerable, and I-Know-U-Express. Below are the requirements on these apps:

1. Before starting on these three apps, I first want you to make an XML DTD int_seq.dtd for a language used to store a sequence of integers. Store this file and an example XML file test.xml that validates according to this DTD in a folder names XML of your Hw5.zip folder.
2. The folder organization for the two PHP apps should follow that of Hw3 and Hw4. Your PHP projects should be written using namespaces. You only create variables, arrays, objects, define new classes, etc. in the namespace cool_name_for_your_group\hw4 and subnamespaces thereof.
3. General, instructions to the grader for how to test your code and a list of team members should be in a file README.txt in the top folder of your HW5.zip file.
4. Each of these projects involves mysql database IKNOWU. This database should have at least two tables: a table TEST_URLS with a URL VARCHAR(1024) column and a table USER_INFO with two columns: NAME VARCHAR(32) and URL_PROFILE CHAR(100). The grader will create this database by going into the I-Know-U-PHP/src/executables folder and typing the line:

   php CreateDB.php path_to_file_containing_urls
   

   Here path_to_file_containing_urls is the name of some file containing a list of urls of fewer than 1024 characters, one per row, with a maximum of 100 rows. At a minimum, when run, both the tables mentioned above should be created and the urls from the grader's file should be inserted into the TEST_URLS table.
5. The only difference between I-Know-U-PHP and I-Know-U-PHP-Vulnerable is that the former is not vulnerable to a SQL Injection attack and the latter should be. The latter project should have a file in its top folder attack.txt explaining to the grader inputs the grader can give to show your project is vulnerable to a SQL Injection attack.
6. I-Know-U-PHP and I-Know-U-Express do the same thing but I-Know-U-Express should in write in Javascript using node.js and express.js rather than PHP. The grader will run this project by switching into the I-Know-U-Express folder from a terminal and type the line:

   node index.js
   

   The grader will assume your app is running on port 8888 when testing it.
7. When running any of the web apps, the landing page should have title I-KNOW-U. The background color of the page should be white. The body of the page should also h1 heading with I-KNOW-U in it. Beneath this there should be a fake captcha followed form that allows a user to enter their name and submit it back to the server.
8. Below this, there should be the following text is a paragraph tag: "You remind me of:" followed by the name of someone stored in USER_INFO table.
9. The fake captcha consists of a h2 heading which says: To prove you are not a robot click on the + signs below and then click the Done button. Below this you should have a sequence of div tags each with one anchor link pointing to one of the urls from the TEST_URLS table. The link text for these links should be the symbol +. These anchor links should each have a class attribute fake-captcha. Anchor links of class fake-captcha should be styled to have color:white, visited links of this class should be styled to have color:blue.
10. Each of the fake-captcha anchor links should have an onclick event attached to it. This should call a function which adds the row number in the the TEST_URLS table of the url clicked followed by a comma to a string stored in a hidden variable of the form variable fake_captcha. The onlick event function should then set the display property of the clicked anchor link to none, and return false to prevent the link from being followed. Clicking the Done button should make a post request back to the server with the string in fake_captcha converted to an xml document. To be specific this posted data should be sent as a form variable user_info and value an xml file in the format of int_seq.dtd you created earlier. Additional post variables should be sent to make this request follow the format of a REST query. After sending the request and setting up the onreadystatechange callback the Done button should be styled to display:none.
11. In response to this REST query your server should send back a string containing the nearest user in the USER_INFO table to the sent sequence. Here nearest is the user that shares the most integers with the supplied vector, ties being broken however you like. If there are no users in USER_INFO, then null should be sent back. This value should then be used as the user name after "You remind me of:" in the paragraph tag above.
12. Submitting the Name form, should store the posted name as well as the hidden variable containing the sequence of integers representing where the user has visited in the USER_INFO table. A PRG pattern should be used so that after this page is submitted one returns to the landing page. This completes the description of Hw5.