CSC2330 Securing Networked Applications

Assignment 3: Problem-Solving 2
Before starting the assignments, please read the University policy on assignment and
submission requirements and student responsibilities.
The assignment should be compressed as a zip/rar file and submitted via Study Desk.
The assignment must be completed using Python 3, Linux shell scripting and HTML5 only,
and be runnable within the course virtual machines.
All the work on the assignment must be stored in a Git repository, set up in the UniSQ Gitea
server, for this assignment.
Follow the instructions in the UniSQ course on how to use UniSQ's student git server
(https://usqstudydesk.usq.edu.au/m2/course/view.php?id=21877).
Set the name of the repository to csc2330_2024_a3, and add James Northway and Ron Addie
to the repository as collaborators.

Introduction
The most essential functions of web applications are to authenticate users, and accept form
submissions. We must implement these simple functions with appropriate security
mechanisms. Web applications often involve multiple dependent services, or microservices,
that run in individual processes, and on different physical or virtual hosts. These services
communicate via HTTP and other protocols. Communication between these services must
remain private in most cases.
We will develop a web application by extending examples in the textbook, Foundations of
Python Network Programming, 3rd edition.
The application will involve a front-end server program for users to interact with directly, by
HTTPS, and a back-end program, which the front-end must communicate with to prepare a
response for the user.
This will be implemented according to the security policies and the requirements stated in
this document.

1 of 7
Assignment Tasks
Part 1, Application Development
You are to create a client-server application with the following components:
1 A user-facing front-end program using the Flask framework. This front-end program is to
be developed by modifying and extending The Improved Application, in Chapter 11 of
Foundations of Python Network Programming.
2 A back-end server program that provides services to the front-end application. This
program is to be developed by modifying and extending the server for A Simple Protocol,
in Chapter 7 of Foundations of Python Network Programming.
The user will ultimately be able to log in to the front-end application, and then request
aphorisms from The Zen of Python, which are provided by the back-end server.
Ensure that your programs provide the specified features, satisfy the specified security
policies, and meet other requirements as directed in this document.
Your application must be runnable on the Debian course virtual machines.
An integration testing python script is provided on Study Desk to act as a user client and
assist with testing your application.
Front-end application features
Modify and extend The Improved Application in Chapter 11 of Foundations of Python
Network Programming, to provide the following paths and functionality, while upholding the
declared security policies, and meeting the other requirements:
 /login (GET and POST (username, password) request methods)
◦ GET request: Shows login form: HTML Sample 1: for the /login page
◦ POST request: Processes the submitted login form
▪ If login is successful, responds with HTML Sample 3: for successful logins
▪ If not, shows the login form again
 /logout (GET request method)
◦ Destroys user session
▪ If logout is successful, responds with
HTML Sample 4: for successful logging out
 /restricted (GET and POST(csrf_token) request methods)
◦ GET request: Tests whether user is logged in, and:
▪ If yes, shows HTML Sample 2: for the /restricted page
▪ If no, responds with the HTTP status of 307 Temporary Redirect, and
redirected to the /login path, with a flash message.
◦ POST request: Tests whether user is logged in, and provided a valid CSRF token:
▪ If yes, retrieves an aphorism from the Zen of Python from the back-end
program, via the network interface, and responds with
HTML Sample 5: for delivery of aphorisms, with the aphorisms injected into
the page via a template.
▪ If no, responds with the HTTP status of 307 Temporary Redirect, and
redirected to the /login path, with a flash message.

2 of 7
Back-end application features
The back-end server program for A Simple Protocol, in Chapter 7 of Foundations of Python
Network Programming, should be modified to uphold the declared security policies. It does
not require any changes to the service it provides.
Security policies to be upheld by the application
1. All inputs from the user must be properly escaped before use by the application.
2. Cross-site POST requests by non-defective web browsers are not permitted.
3. Only users who are currently logged in may use the /restricted path to retrieve
aphorisms.
4. All authentication related and aphorism request events must be logged to a file.
5. Transport layer security must be utilized between the user client and front-end, and
between the front-end and back-end.
6. The back-end server must only communicate with TLS, and only accept valid
certificates signed with the authority certificate.
7. The front-end server must only make aphorism requests with TLS, and only accept
valid certificates signed with the authority certificate.
Use of the Git repository
Ensure that you perform regular commits, and push them, to a repository on the UniSQ Gitea
server, over the duration of your work.
Your Gitea repository should include all Python source code, and your answer to part 2.
Set the name of the repository to csc2330_2024_a3, and add James Northway and Ron
Addie to the repository as collaborators.
Other requirements for the application
Requirements for the Flask session cookie
The Flask session cookie must be:
 Set to be transferred over HTTPS only, with Secure
 Not be accessible to JavaScript, with HttpOnly
 Restricted to the same site, with SameSite set to Strict
If you disable these cookie features while developing and debugging your application, ensure
that you enable them again in your source code before submission.
Requirements for usernames and passwords
There must be two sets of credentials that can be used to access the application.
One must be your student ID as the username, with a lowercase letter (e.g., u1234567), and
csc2330a3 as the password.
The other must be your UniSQ student e-mail address as the username, and t12024 as the
password.
Requirements for random values
Secure random values for CSRF tokens and logged-in sessions must be produced by using
random.secrets and contain at least 16 bytes. For example: secrets.token_hex(16)
A new secure random secret key should be generated each time the frontend server is started,
with a length of 32 bytes.

3 of 7
Requirements for Transport Layer Security (TLS)
Four TLS certificates, with four keys, must be generated, used by your programs, and
included in your submission:
1. www.crt, the certificate for front-end application connections to the user client (for
HTTPS, a self-signed certificate)
2. ca.crt, as an authority certificate for signing the back-end connection certificates
3. frontend.crt, the certificate for the front-end in the front-end to back-end connection
(signed by the authority certificate)
4. backend.crt, the certificate for the back-end in the front-end to back-end connection
(signed by the authority certificate)

An authority certificate, named ca.crt, must be created to act as a certificate authority for the
connection between the front-end and back-end applications.
The front-end to back-end TLS must require validation of the certificates with the authority
certificate at each end.
Derive your solution from the example in Chapter 6, Listing 6-3 of Foundations of Python
Network Programming.
 The TLS implementation must use AES-256.
 RSA keys must be 2048 or 4096-bits
 For the purposes of this assignment, we need the run the two programs with these
certificates on various computers, so check_hostname should be set to false in the
SSL context. Note that checking hostnames in production environments is critically
important.
Close the sockets once a transaction to retrieve aphorisms is completed.
Requirements for logging
Logging should be performed with the Python logging module, with the basic configuration:
logging.basicConfig(format='%(asctime)s:%(levelname)s:%
(message)s', filename='csc2330a3app.log', encoding='utf-8',
level=logging.DEBUG)
A log level of INFO should be used for:
 Successful and unsuccessful log in attempts
 Log out events
 Aphorism request events
Meaningful messages should be included in the log entries. These messages should be
prefixed with SECURITY: and mention any IP address and username involved in the event,
the action that was taken, and whether it was successful or not.
For example, an acceptable message for an unsuccessful login attempt, for username
u1234567, from localhost, would be:
“SECURITY: Unsuccessful login attempt: IP=127.0.0.01, username=u1234567”
or
“SECURITY: IP 127.0.0.1 failed to log in with username u1234567”

4 of 7
HTML for pages
These samples may be adapted for templating in Flask.
HTML Sample 1: for the /login page (GET requests)
<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<title>Log in</title>
</head>
<body>
<h1>Log in</h1>
<form action="./login" method="post">
<p>
Username:
<input type="text" id="username" name="username"></p>
<p>
Password:
<input type="password" id="password" name="password">
<input type="hidden" id="csrf_token" name="csrf_token">
</p>
<p><button type="submit" id="loginbutton">Log in</button></p>
</form>
</body>
</html>
HTML Sample 2: for the /restricted page (GET requests)
<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<title>Restricted</title>
</head>
<body>
<h1>Log in</h1>
<form action="./restricted" method="post">
<p>
<input type="hidden" id="csrf_token" name="csrf_token">
<button type="submit" id="request">Request Aphorism</button>
</p>
</form>
</body>
</html>
HTML Sample 3: for successful logins
<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<title>Logged in</title>
</head>
<body>
<h1>Logged in</h1>
<p><a href="./restricted">Request aphorisms</a></p>
<p><a href="./logout">Log out</a></p>
</body>
</html>

5 of 7
HTML Sample 4: for successful logging out
<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<title>Logged out</title>
</head>
<body>
<h1>Logged out</h1>
<p><a href=”./login”>Log in again</a></p>
</body>
</html>
HTML Sample 5: for delivery of aphorisms
<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<title>Aphorisms from The Zen of Python</title>
</head>
<body>
<h1>Aphorisms from The Zen of Python</h1>
<!--
Wrap each aphorism in a <p>Paragraph element.</p>
-->
<p><a href="./restricted">Request more aphorisms</a></p>
</body>
</html>

Part 2, Essay Question

In your own words, describe any three of the following attack types, and explain how your
application is, or is not, resistant against them:
 Cross-site request forgery (CSRF)
 Cross-site scripting (XSS)
 Brute-force attacks
 Eavesdropping
 Domain or IP spoofing
 Man-in-the-middle attacks
A good answer to this question will be at least 200 words.

Submission Instructions
Upload a zip file to the submission form for this assignment, which includes:
 All Python source files, certificates and keys for
your front-end and back-end applications
 Your answer to Part 2, in docx or odt format
Ensure that you have committed and pushed your source code,
and Part 2 answer to the Gitea repository.
Ensure that your application will work correctly on the Debian 12 course VM,
if it is run after unzipping.

6 of 7
Marking Scheme

Part 1 – Application Development (35 marks)

The user can log in with the specified username and passwords only. 2
The users logged in status is correctly set, checked and stored. 2
The user can request aphorisms, the frontend then retrieves them from the
backend, and then delivers them to the user client per the requirements. 6
The user can only request aphorisms when logged in. 2
The user can log out, and their session is appropriately destroyed. 2
Inputs from the user are effectively escaped and sanitized. 2
The Flask session cookie is correctly configured per the requirements. 2
The Flask secret key is generated according to the requirements. 2
The CSRF token is generated by the required secure random method, has
appropriate length, and is stored and transferred appropriately. 1
The CSRF mitigations are correctly implemented at the /login path. 1
The CSRF mitigations are correctly implemented at the /restricted path. 1
Successful and unsuccessful log in events are recorded to the log file with
required information. 2
Successful and unsuccessful aphorism requests are recorded to the log file
with required information. 2
The back-end and front-end programs correctly validate each other’s
certificates, as signed by the ca certificate. 2
TLS is correctly implemented to encrypt traffic between
the front-end and user client, in accordance with the requirements. 1
TLS is correctly implemented to encrypt traffic between the
front-end and back-end, in accordance with the requirements. 1
The Git repository, on the UniSQ Gitea server, has been used, and includes
the required items. 1
Five commits have been made over the duration of the work. 1
10 or more commits have been made over the duration of the work. 1
Commits have meaningful comments applied. 1
Part 2 – Essay Question (5 marks)
Three attack types are accurately described 2
The effectiveness of the mitigations is explained for each 3
Total 40

7 of 7