Execution with Unnecessary Privileges Mitigation Java Project

User Generated

Svefg_ghgbe

Computer Science

Description

Unformatted Attachment Preview

Graded Assignment: Homework X University of Maryland Global Campus SDEV 325 – Detecting Software Vulnerabilities Executive Summary [Introductory paragraph of the homework topic, example “demonstrating insecure interaction between components” and the two unique vulnerabilities selected (to include the CWE/SANS Top 25 ID and name). Include a closing sentence on the success or failure of fixing your vulnerable example, if you failed to properly correct it, describe the mitigation needed for partial credit] Example 1 – [vulnerability id and name] Overview [A paragraph describing your example, what the application does, what language the application is written in, and you may include a screenshot of the application’s startup screen] Analysis of the Vulnerability [At least one paragraph describing the vulnerability in your example, to include code snippets of the vulnerable code and screenshots demonstrating the vulnerability in the application/program] Mitigation [At least one paragraph describing the mitigation in your example, to include code snippets of the corrected code and screenshots demonstrating the application working correctly] Example 2 – [vulnerability id and name] Overview [A paragraph describing your example, what the application does, what language the application is written in, and you may include a screenshot of the application’s startup screen] Analysis of the Vulnerability [At least one paragraph describing the vulnerability in your example, to include code snippets of the vulnerable code and screenshots demonstrating the vulnerability in the application/program] Mitigation [At least one paragraph describing the mitigation in your example, to include code snippets of the corrected code and screenshots demonstrating the application working correctly] References Homework 4 Demonstrating Porous Defenses Overview In this homework you use AWS Cloud 9 to create two different unique demonstrations of Porous Defenses such as Missing Encryption of Sensitive Data, Use of Hard-coded Credentials, Missing Authorization, Missing Authentication for Critical Function, Incorrect Permission Assignment for Critical Resource, Incorrect Authorization, Execution with Unnecessary Privileges, and Reliance on Untrusted Inputs in a Security Decision. You will provide unique code that contains the vulnerability and then provide an updated version of the code that fixes the vulnerability. You should also describe why the original code was vulnerable and discuss specific attack methods a user could try to exploit the vulnerability. Finally discuss how the new code fixes the vulnerability. Assignment Details Be sure you have carefully read and understand the materials in weeks 5 and 6. 1. Select 2 CWE/SANS Top 25 vulnerabilities under the category of Porous Defenses from one of these specific issues: a. Missing Encryption of Sensitive Data b. Use of Hard-coded Credentials c. Missing Authorization d. Missing Authentication for Critical Function e. Incorrect Permission Assignment for Critical Resource f. Incorrect Authorization g. Execution with Unnecessary Privileges h. Reliance on Untrusted Inputs in a Security Decision Review and try the existing examples in links in the classroom. Use AWS Cloud 9 to experiment. Work in multiple languages where possible. 2. Using AWS Cloud 9, create your own unique example for each of the 2 vulnerabilities in this category. 3. Your code examples do not need to large or fully functional from an application standpoint. However; they need to include all of the code such that the vulnerability can be fully explained and corrected. 4. Use the information in the CWE/SANS Top 25 vulnerabilities to understand and experiment. 5. Be sure your documentation and descriptions are detailed and completed. 6. You may need to conduct additional research to better understand the vulnerability or the features associated with a specific language. 7. Document the vulnerabilities and describe specifically how the issues were corrected. Note: You may need to conduct additional research to better understand the vulnerability or the features associated with a specific language. 1 Deliverables Provide all of your source files for this assignment along with your well-organized documentation (word of PDF file) supporting the files. Be sure to provide all documentation in one word or PDF document. You can compress the source files and documentation into a zip application for easier upload. Grading Rubric: Attribute Vulnerabilities Meets 50 points Selects 2 CWE/SANS Top 25 vulnerabilities under the category of Porous Defenses. (10 points) Creates unique example for each of the 2 vulnerabilities in this category. (20 points) Mitigation Documentation and submissions Demonstrates for each application, they are vulnerable to an attack. (20 points) 25 points Fixes the issues in each of the two examples you created. (25 points) 25 points Provides all source files (those with vulnerabilities, those fixed and any supplemental files needed to run the application. (15 points) Within a word or PDF file, documents vulnerabilities and describe specifically how the issues were corrected. (10 points) 2
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

View attached explanation and answer. Let me know if you have any questions.
View attached explanation and answer. Let me know if you have any questions.
View attached explanation and answer. Let me know if you have any questions.

Execution with Unnecessary Privileges Venerability
This can be described as a system's lack of separation of privilege. This type of coding
error usually comes when the developers are unaware that they have access to specific resources
(Yu et al., 2011). In some cases, it is assumed that every account will have this particular level of
privilege. The classic example was with the user "root" and having full access to everything on
the server.
This example code of a vulnerability could lead to execution with unnecessary privileges.
The ID is usually 0 in the MySQL database.

int main () {
char *String user = "root";
pwd_t pwd;
uid_t uid = null;
if (setlogin(user)) { printf("Failed to set user!n"); } else { printf("Succeeded!n"); }
if (setuid(0) != 0) { printf("Failed to set uid!n"); } else { printf("Succeeded!n"); }
getpwuid(uid);
boolean passwd = false;
boolean pw_dir = false;

if (!user || !passwd || !passwd->pw_dir || !user) { printf("Failed to set user!n"); } else {
printf("Succeeded!n"); }
system("echo 'I have full access!' > /file/path");
}

}

private static boolean ...


Anonymous
This is great! Exactly what I wanted.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Similar Content

Related Tags