For Project 2, you will be analyzing a relatively simple application for vulnerabilities. Ziproxy is a web proxy that compresses web pages between client and proxy. You (and your team) are asked to perform vulnerability analysis on ziproxy-1.1.
The type of vulnerability analysis you perform is up to you - examples could include a red-team style penetration test, using automated code analysis tools, code verification, etc. The way you work as a team is also open - you may choose to work closely on a particular type of test, or to work independently on different tests, or even indepdently try the same type of testing. In any case, you will need to write a report discussing
For example, if you each independently perform penetration testing and all discover the same vulnerabilities, vs. each discovering different vulnerabilities, what does this say about your expectation that you've discovered all vulnerabilities? Alternatively, if you each perform a different type of analysis, why do you expect these to find different types of vulnerabilities?
Some example non-commercial code analysis tools (presumably freely available for use, although you might want to check) can be found in Wikipedia. CERIAS also has a collection of tools, some of which might be useful in analyzing a running system (although be careful in what you do, for example running scanners on public use systems is probably not a good idea.)
1. Deadline to turn in: December 9: 1:30pm: A report that describes the vulnerabilities you found, locations of them in the code, such code snippets, the process/tools/methodsyou used to determine them and how you used them. The organization of the report may not follow a different order. Also mention, who did what and what did you accomplish as a team.
2. Presentations: 15 minutes each team. December 9: 1:30pm - 5pm.
This page last modified