Project 2: Vulnerability Analysis

For Project 2, you will be analyzing a relatively simple application for vulnerabilities. Ziproxy is a web proxy that compresses web pages between client and proxy. You (and your team) are asked to perform vulnerability analysis on ziproxy-1.1.

The type of vulnerability analysis you perform is up to you - examples could include a red-team style penetration test, using automated code analysis tools, code verification, etc. The way you work as a team is also open - you may choose to work closely on a particular type of test, or to work independently on different tests, or even indepdently try the same type of testing. In any case, you will need to write a report discussing

For example, if you each independently perform penetration testing and all discover the same vulnerabilities, vs. each discovering different vulnerabilities, what does this say about your expectation that you've discovered all vulnerabilities? Alternatively, if you each perform a different type of analysis, why do you expect these to find different types of vulnerabilities?

Some example non-commercial code analysis tools (presumably freely available for use, although you might want to check) can be found in Wikipedia. CERIAS also has a collection of tools, some of which might be useful in analyzing a running system (although be careful in what you do, for example running scanners on public use systems is probably not a good idea.)

What to turn in

1. Deadline to turn in: December 9: 1:30pm: A report that describes the vulnerabilities you found, locations of them in the code, such code snippets, the process/tools/methodsyou used to determine them and how you used them. The organization of the report may not follow a different order. Also mention, who did what and what did you accomplish as a team.
2. Presentations: 15 minutes each team. December 9: 1:30pm - 5pm.

Watch this space for details, but note that 10% of the total score will be based directly on your performance as a team: Do you show how your actions as a group have improved the assurance level of the vulnerability analysis? While this could be because you've done the same thing and carefully analyzed the differences in results, or done complementary things that provide good coverage of types of vulnerabilities, or that you've really done things that required multiple people to collaborate, the key is that you show that working together has enabled you to have better results than simply working independently.

This page last modified

Valid XHTML 1.1