Problem Statement You are required to perform security exploits specified in this document using the WebGoat J2EE web application package as well as BackTrack GNU/Linux distribution. You can download WebGoat and any appropriate tools from the SIT382 CloudDeakin course website to complete this assignment. The link to download BackTrack is http://www.backtrack-linux.org/downloads/. You can also use other non-commercial (free and open-source) tools (e.g. Wireshark) to help you complete this assignment. You are not to use any commercial security-related or hacking products for this assignment. There are two parts to this assignment. Part A will require you to use more than one exploit to attack a web application and different techniques to defend against such attacks, while part B is to test your understanding of a particular exploit and how to counter that exploit. You are required to answer the questions by implementing the solutions. These implementations need to be documented in detail. The document must have step-by-step details on what you did to solve the question, including any script code used to answer the requirements. You are also required to provide images (screen dumps) to show the key steps leading to your solution. These images can be taken using printscreen or any other screen capture method. These images must be embedded in the document with appropriate labelling and descriptions. The document format is flexible, but it must be neatly organised. You should clearly indicate what part and question you are attempting to complete. You should also clearly indicate the stage your solution is used for. Omission of script codes or images showing the key steps leading to the completion of the given tasks will result in severe loss of marks. Part A (50%) Part A provides 50% of the assignment marks. This question is compulsory. You are required to complete the WebGoat Challenge question. The tasks to be completed are provided in WebGoat. You need to click on the Challenge menu item and complete the THREE (3) stages in this challenge. This part of the assignment requires you to know different application penetration testing techniques to complete successfully. It is highly recommended that you reinstall WebGoat before you begin to test the challenge. An important note to remember is that you are attacking the WebGoat web server from a client (web browser). This means that the attacker does not have any write access to the server, thus you will not be able to modify the java source files to complete the Challenge questions. Any modification of the WebGoat source code to complete the Challenge questions will result in loss of marks. In part A, you are required to include the following: • Description of the scenarios in each stage compared them to the real-world cases. • Theoretical description of the possible methods to do attacks. You may list the possible methods that you may use to test the problems posed by the question of each stage? • Brief explanation on the method used (a couple of paragraphs) followed by details on how you used that method to test the problem. What are the results of those methods that you actually tested the problems posed by the question of each stage? (Analyse either successful or unsuccessful methods) • Any script code and images (screen dumps) showing the successful completion of the tasks in this part of the assignment. Part B (50%) Part B provides 50% of the assignment marks. This question is compulsory. You need to select and choose ONE (1) of the many tools available in BackTrack, including tools which we have not covered but you may find interesting. For example, we only cover a few tools in the SET framework, but you may experiment with those even further. There is a variety of support documents available online, and a detailed Wiki about BackTrack. Once chosen, you will provide a complete run through the activity, you will provide screenshots of how the attack was run and also an evaluation of the data collected from the victim machine, such as the traffic data from the Wireshark. In part B, you are required to include the following: • A theoretical description of the attack. If for example you decide to run a spear phishing attack, you will need to provide around 300-500 words describing the attack in details. • A complete, beginning to end, tutorial like presentation of the attack, without omitting any variables, including screen shots, this could look like a manual or a journal. • An evaluation of the data if collected from Wireshark, in any given case, you will be able to find some pattern, like a redirection or uncommon data between clients in social network attacks, or the effect of a spoofing mechanism, you should describe in a fairly simplistic way, what has happened. • Provide a short evaluation and considerations of the attack, this can and should also include defence mechanisms which can be used to defend from such an attack. Please note, this should be done thoroughly and present various mechanisms and description of which you consider to be better and why. For example, for a DoS attack where the attacker has spoofed the IP address, there are a number of mechanisms to trace back the attacker, you should include most of them.