-
Notifications
You must be signed in to change notification settings - Fork 0
/
HarleyCalvert_8736819_A3.html
322 lines (301 loc) · 15.5 KB
/
HarleyCalvert_8736819_A3.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
<title>COMP804: A3</title>
<script>
//Task 4: Javascript with button
function cat() {
document.getElementById('task4_input').value = 'User clicks Cat';
document.getElementById('task4_cat').style.border = "4px solid #001641";
document.getElementById('task4_dog').style.border = "";
document.getElementById('task4_frog').style.border = "";
document.getElementById('task4_p').innerText = 'Cat is clicked';
document.getElementById('task4_div').innerHTML = '<img src="cat.png" alt="cat"><p>Image generated by Bing Copilot</p>';
}
function dog() {
document.getElementById('task4_input').value = 'User clicks Dog';
document.getElementById('task4_cat').style.border = "";
document.getElementById('task4_dog').style.border = "4px solid #001641";
document.getElementById('task4_frog').style.border = "";
document.getElementById('task4_p').innerText = 'Dog is clicked';
document.getElementById('task4_div').innerHTML = '<img src="dog.png" alt="dog"><p>Image generated by Bing Copilot</p>';
}
function frog() {
document.getElementById('task4_input').value = 'User clicks Frog';
document.getElementById('task4_cat').style.border = "";
document.getElementById('task4_dog').style.border = "";
document.getElementById('task4_frog').style.border = "4px solid #001641";
document.getElementById('task4_p').innerText = 'Frog is clicked';
document.getElementById('task4_div').innerHTML = '<img src="frog.png" alt="frog"><p>Image generated by Bing Copilot</p>';
}
</script>
<style>
* {
color: #001641;
font-family: arial, sans-serif;
}
#col1 {
width: 350px;
}
header div {
background: lightblue;
border: solid 2px #001641;
margin-bottom: 10px;
padding: 10px 25px;
}
table {
border: 2px solid #001641;
border-collapse: collapse;
width: 100%;
}
td {
border: 1px solid #f2f2f2;
text-align: left;
padding: 8px;
}
th {
background: #001641;
color: #fff;
text-align: left;
padding: 8px;
}
tr:nth-child(odd) {
background-color: #f2f2f2;
}
ul {
list-style-type: square;
}
</style>
</head>
<body>
<h1>Task 1: Use CSS to display information</h1>
<header>
<div>
<h1>8736819 Harley Calvert</h1>
<h2>COMP804: Web Security</h2>
<h3>Assignment 1, due at the end of Week 5</h3>
</div>
</header>
<h1>Task 2: Use CSS to style a table</h1>
<table>
<tr>
<th>Activity</th>
<th>Date</th>
</tr>
<tr>
<td>First day to enrol for re-enrolling (continuing students)</td>
<td>20 Nov 2023</td>
</tr>
<tr>
<td>First day to enrol for new students (commencing students)</td>
<td>04 Dec 2023</td>
</tr>
<tr>
<td>Orientation for new students (Sydney)</td>
<td>29 Jan 2024</td>
</tr>
<tr>
<td>Orientation for new students (Wollongong)</td>
<td>30 Jan 2024</td>
</tr>
<tr>
<td>Orientation for new students (Online)</td>
<td>31 Jan 2024</td>
</tr>
<tr>
<td>Lectures commence</td>
<td>05 Feb - 12 Apr 2024</td>
</tr>
<tr>
<td>Last day to enrol / add subjects yourself</td>
<td>16 Feb 2024</td>
</tr>
<tr>
<td>Last day to enrol / add subjects with Head of Students approval</td>
<td>23 Feb 2024</td>
</tr>
<tr>
<td>
<strong>CENSUS DATE</strong>
<ul>
<li>Fees due</li>
<li>Last day to withdraw from subject/s without paying for them</li>
<li>HECS / FEE HELP debt reporting date</li>
<li>Last day to change HECS / FEE HELP billing option</li>
</ul>
<a href="https://www.uow.edu.au/student/dates/#d.en.186577">Learn more
about Census date ></a>
</td>
<td>26 Feb 2024</td>
</tr>
<tr>
<td>Student Services and Amenities Fees due</td>
<td>27 Feb 2024</td>
</tr>
<tr>
<td>Last day to withdraw without academic penalty - subject deleted from record
Fail grade recorded if subject withdrawn after this date</td>
<td>15 Mar 2024</td>
</tr>
<tr>
<td>Study recess (1 week)</td>
<td>15 Apr - 19 Apr 2024</td>
</tr>
<tr>
<td>Exams (1 week)</td>
<td>20 Apr - 26 Apr 2024</td>
</tr>
<tr>
<td>End of session break commences</td>
<td>27 Apr 2024</td>
</tr>
<tr>
<td>Release of results</td>
<td>08 May 2024</td>
</tr>
<tr>
<td>Supplementary and deferred exam period</td>
<td>14 May - 17 May 2024</td>
</tr>
</table>
<h1>Task 3: HTML & CSS</h1>
<table>
<thead>
<tr>
<th id="col1">Name</th>
<th>Web Attacks</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<strong>SQL Injection (SQLi)</strong>
<br><br>
<img src="sqli.png" alt="">
</td>
<td>
<p>SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. This can allow an attacker to view data that they are not normally able to retrieve. This might include data that belongs to other users, or any other data that the application can access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior.</p>
Source: <a href="https://portswigger.net/web-security/sql-injection">https://portswigger.net/web-security/sql-injection</a>
</td>
</tr>
<tr>
<td>
<strong>Cross-Site Scripting (XSS)</strong>
<br><br>
<img src="xss.png" alt="">
</td>
<td>
<p>Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.</p>
Source: <a href="https://portswigger.net/web-security/cross-site-scripting">https://portswigger.net/web-security/cross-site-scripting</a>
</td>
</tr>
<tr>
<td>
<strong>Cross-Site Request Forgery (CSRF)</strong>
<br><br>
<img src="csrf.png" alt="">
</td>
<td>
<p>Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.</p>
Source: <a href="https://owasp.org/www-community/attacks/csrf">https://owasp.org/www-community/attacks/csrf</a>
</td>
</tr>
<tr>
<td>
<strong>Distributed Denial of Service (DDoS)</strong>
<br><br>
<img src="ddos.png" alt="">
</td>
<td>
<p>A distributed denial-of-service (DDoS) attack occurs when multiple machines are operating together to attack one target. DDoS attackers often leverage the use of a botnet—a group of hijacked internet-connected devices to carry out large scale attacks. Attackers take advantage of security vulnerabilities or device weaknesses to control numerous devices using command and control software. Once in control, an attacker can command their botnet to conduct DDoS on a target. In this case, the infected devices are also victims of the attack.</p>
Source: <a href="https://www.cisa.gov/news-events/news/understanding-denial-service-attacks">https://www.cisa.gov/news-events/news/understanding-denial-service-attacks</a>
</td>
</tr>
<tr>
<td>
<strong>Session Hijacking</strong>
<br><br>
<img src="sh.png" alt="">
</td>
<td>
<p>Session hijacking refers to the malicious act of taking control of a user’s web session. A session, in the context of web browsing, is a series of interactions between two communication endpoints, sharing a unique session token to ensure continuity and security.</p>
Source: <a href="https://www.imperva.com/learn/application-security/session-hijacking/">https://www.imperva.com/learn/application-security/session-hijacking/</a>
</td>
</tr>
<tr>
<td>
<strong>Clickjacking</strong>
<br><br>
<img src="cj.png" alt="">
</td>
<td>
<p>Clickjacking attacks trick web users into performing an action they did not intend, typically by rendering an invisible page element on top of the action the user thinks they are performing.</p>
Source: <a href="https://www.hacksplaining.com/prevention/click-jacking">https://www.hacksplaining.com/prevention/click-jacking</a>
</td>
</tr>
<tr>
<td>
<strong>Brute Force Attack</strong>
<br><br>
<img src="bfa.png" alt="">
</td>
<td>
<p>A brute force attack is a trial-and-error method used to decode sensitive data. The most common applications for brute force attacks are cracking passwords and cracking encryption keys. Other common targets for brute force attacks are API keys and SSH logins. Brute force password attacks are often carried out by scripts or bots that target a website's login page.</p>
Source: <a href="https://www.cloudflare.com/en-gb/learning/bots/brute-force-attack/">https://www.cloudflare.com/en-gb/learning/bots/brute-force-attack/</a>
</td>
</tr>
<tr>
<td>
<strong>Directory Traversal</strong>
<br><br>
<img src="dt.png" alt="">
</td>
<td>
<p>Directory traversal, also known as path traversal or directory climbing, is a vulnerability in a web application server caused by a HTTP exploit. The exploit allows an attacker to access restricted directories, execute commands, and view data outside of the web root folder where application content is stored. By manipulating input parameters or file paths, an attacker can navigate through the file system and gain unauthorized access to sensitive files or directories.</p>
Source: <a href="https://www.imperva.com/learn/application-security/directory-traversal/">https://www.imperva.com/learn/application-security/directory-traversal/</a>
</td>
</tr>
<tr>
<td>
<strong>XML External Entity (XXE) Injection</strong>
<br><br>
<img src="xxe.png" alt="">
</td>
<td>
<p>An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.</p>
Source: <a href="https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing">https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing</a>
</td>
</tr>
<tr>
<td>
<strong>Server-Side Request Forgery (SSRF)</strong>
<br><br>
<img src="ssrf.png" alt="">
</td>
<td>
<p>Server-side request forgery is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location. In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure.</p>
Source: <a href="https://portswigger.net/web-security/ssrf">https://portswigger.net/web-security/ssrf</a>
</td>
</tr>
</tbody>
<tfoot>
<tr>
<td><p><strong>Images: </strong>All images generated by Bing Copilot.</p></td>
<td></td>
</tr>
</tfoot>
</table>
<h1>Task 4: Javascript with button</h1>
<button onClick="cat();" id="task4_cat">Cat</button>
<button onClick="dog();" id="task4_dog">Dog</button>
<button onClick="frog();" id="task4_frog">Frog</button>
<br><br>
<input type="text" id="task4_input">
<p id="task4_p"></p>
<div id="task4_div"></div>
<h1>Task 5: Github repository</h1>
<a href="https://github.com/harleycalvert/comp804_A3">Harley's COMP804 GitHub Repository</a><br><br>
<a href="HarleyCalvert_8736819_A3.pdf">Harley's COMP804 GitHub Report</a>
</body>
</html>