CS 290w
Assignment 6
Web Security
Due November 22, 1999 by 11:59 p.m.
Must use the turnin program for the altered guestbook script, the accompanying html file,
the .htgroup, and .htaccess files.
Must email jvm@cs.purdue.edu the username, password, and URL to the security document,
described below.
Total Points: 100.
You will modify Assignment 5, the guestbook, for this assignment.
Please make a COPY of your Assignment 5 guestbook script, and modify the COPY for this assignment.
- (50 pts) First Part: Programming
- Use .htaccess, .htpasswd, and .htgroup to limit access at your Web site
ONLY to your security document, described below.
Limit access two ways: 1) only allow users accessing via the Purdue Domain 2) set password
protection so that only those who have a login and password will be able to view your
security document. One of the usernames must be "teacher". Set up any password for teacher (be nice:-).
Email to jvm, at the above email address and by the above due date, the username, password
of your choice, and FULL URL to the security document. MAKE
SURE to put "teacher" in the subject line of the email to jvm. AND *do not* email your TA this information. Failure to do this part correctly
lands a zero for password protection and a zero for the security document below.
- Modify your assignment 5 Perl script(s) to remove any HTML tags or Meta Characters
that a user may have entered in the fields of your Guestbook Form.
- (50 pts) Second Part: Answer the following questions on a .html page that gets posted
to your Web site. BEFORE answering the questions on the page, install the password protection to
foil the cheaters. If this page is not password protected, you will recieve a zero. On your security
page, number each answer with the corresponding number before each question below.
- It is considered potentially bad for a user to enter meta characters into user input
forms. They might maliciously or unknowingly enter sequences of characters that could invoke shell
commands or system calls. 1) Define meta character 2) Explain how and why meta characters are used
in programming, and 3) Give an example of a potentially bad input sequence using meta characters.
(There are lots of examples you could give, but just give one.)
4) When you give your example, explain what harm your sequence could do. Be specific.
Lastly, what if you
want to allow users to be able to enter meta characters in your form? 5) Under what circumstances
would you want to do this, and 6) How can you allow a user to input meta characters safely, without
having to strip them out of the input?
- It is considered potentially bad for a user to enter HTML directives into user input
forms. 7) Why? What damage could result? What if you want to allow the user to enter
HTML directives? 8) What can you do to allow this to happen safely?
Although this is not an English class, I do expect your answers to the questions
to be void of spelling and grammatical errors. Grading will depend on the following: quality
and correctness of answers, grammar, spelling, and complete sentences.